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Primary ae ; CVSS Source & Patch 
Vendor -- Product Deseniplon Published Score Info 
A SQL injection vulnerability in the pandora_console component . . 
of Artica Pandora FMS 742 allows an unauthenticated attacker to ee anes 
artica -- pandora_fms upgrade his unprivileged session via the 2021-05-07 75 MISC 
/include/chart_generator.php session_id parameter, leading to a MISC 
login bypass. —— 
CVE-2021-32098 
: Artica Pandora FMS 742 allows unauthenticated attackers to MISC 
pIvGa Paneer IMs perform Phar deserialization. eee e ee Ls MISC 
MISC 
: g ah cae , CVE-2021-31909 
jjetbrains -- teamcity In JetBrains TeamCity before 2020.2.3, argument injection leading 2021-05-11 75 MISC 
to remote code execution was possible. MISC 
microsoft -- windows_10 HTTP Protocol Stack Remote Code Execution Vulnerability 2021-05-11 | 75 anal 
Memory corruption while processing crafted SDES packets due to 
improper length check in sdes packets recieved in Snapdragon 
- . Auto, Snapdragon Compute, Snapdragon Connectivity, OR, CVE-2020-11279 
Abel cornin apy SO 02 nme Snapdragon Consumer IOT, Snapdragon Industrial IOT, etela-00, 10 CONFIRM 
Snapdragon loT, Snapdragon Mobile, Snapdragon Voice & Music, 
Snapdragon Wearables 
Double free in video due to lack of input buffer length check in 
Snapdragon Auto, Snapdragon Compute, Snapdragon CVE-2021-1910 
qualcomm -- apq8009_ firmware Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial 2021-05-07 10 CONFIRM. 
IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon ——— 
Wearables 
Possible use after free due to improper handling of memory 
mapping of multiple processes simultaneously. in Snapdragon 
= . Auto, Snapdragon Compute, Snapdragon Connectivity, a CVE-2021-1905 
Abalone apa Se 0S nial Snapdragon Consumer IOT, Snapdragon Industrial |OT, lac L2 CONFIRM 
Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon 
Wearables 
Out of bound write can occur in TZ command handler due to lack 
of validation of command ID in Snapdragon Auto, Snapdragon 
7 : Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, OF, CVE-2020-11289 
Spal cornin = apae ey _nemwar Snapdragon Industrial IOT, Snapdragon loT, Snapdragon Mobile, eo ne ee Le CONFIRM 
Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon 
Wired Infrastructure and Networking 
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/goform/setmac allows attackers to execute arbitrary code on the 
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Primary ae P Cvss Source & Patch 
Vendor -- Product Descnpton Pubilehed Score Info 
Possible use after free due to lack of null check while memory is 
being freed in FastRPC driver in Snapdragon Auto, Snapdragon 
- : Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, OF, CVE-2021-1927 
Alalcaninyapqeeoe Tanisare Snapdragon Industrial |OT, Snapdragon Mobile, Snapdragon ene eOr L2 CONFIRM 
Voice & Music, Snapdragon Wearables, Snapdragon Wired 
Infrastructure and Networking 
Buffer over-read while unpacking the RTCP packet we may read 
extra byte if wrong length is provided in RTCP packets in 
: Snapdragon Auto, Snapdragon Compute, Snapdragon CVE-2020-11285 
Rualcomm=apqeQ09. firmware Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial eeu 24 CONFIRM 
IOT, Snapdragon loT, Snapdragon Mobile, Snapdragon Voice & 
Music, Snapdragon Wearables 
Possible integer overflow due to improper length check while CVE-2021-1895 
qualcomm -- apq8009w_firmware __ flashing an image in Snapdragon Consumer IOT, Snapdragon 2021-05-07 IZ CONFIRM 
Industrial IOT, Snapdragon Voice & Music fepeeeieririecs: 
Buffer overflow can occur due to improper validation of NDP 
application information length in Snapdragon Auto, Snapdragon 
be : Compute, Snapdragon Connectivity, Snapdragon Consumer OF, CVE-2021-1915 
Gualcommne-apqeulean! nmwars Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon isnt L2 CONFIRM 
Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, 
Snapdragon Wired Infrastructure and Networking 
Denial of service in MODEM due to assert to the invalid 
o : configuration in Snapdragon Auto, Snapdragon Compute, OF, CVE-2020-11274 
Gualcaninn equine fnmware Snapdragon Connectivity, Snapdragon Consumer IOT, cielo Oe L8 CONFIRM 
Snapdragon Industrial IOT, Snapdragon Mobile 
Possible denial of service scenario due to improper handling of 
group management action frame in Snapdragon Auto, 
a : Snapdragon Compute, Snapdragon Connectivity, Snapdragon OF, CVE-2021-1925 
Aualoe nin: -aqulona fimware Consumer Electronics Connectivity, Snapdragon Consumer I|OT, eld L8 CONFIRM 
Snapdragon Industrial |OT, Snapdragon Mobile, Snapdragon 
Voice & Music, Snapdragon Wired Infrastructure and Networking 
Locked memory can be unlocked and modified by non secure 
boot loader through improper system call sequence making the 
_ , memory region untrusted source of input for secure boot loader in OR, CVE-2020-11284 
qualcomm = aqtt000_finmware Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial ene we La CONFIRM 
IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and 
Networking 
Out of bound write can occur in playready while processing 
command due to lack of input validation in Snapdragon Auto, CVE-2020-11288 
qualcomm -- aqt1000_ firmware Snapdragon Compute, Snapdragon Connectivity, Snapdragon 2021-05-07 dee. CONFIRM 
Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, a aa 
Snapdragon Voice & Music 
Histogram type KPI was teardown with the assumption of the 
existence of histogram binning info and will lead to null pointer CVE-2020-11273 
qualcomm -- csrb31024 firmware |jaccess when histogram binning info is missing due to lack of null 2021-05-07 18 CONFIRM 
check in Snapdragon Auto, Snapdragon Compute, Snapdragon ae 
Connectivity, Snapdragon Mobile 
An issue was discovered in Emote Remote Mouse through 
remotemouse -- 4.0.0.0. Remote unauthenticated users can execute arbitrary code 2021-05-07 75 71 cro 
emote_remote_mouse via crafted UDP packets with no prior authorization or cats MISC 
authentication. = 
‘The dashboard component of StackLift LocalStack 0.12.6 allows CVE-2021-32090 
stacklift -- localstack attackers to inject arbitrary shell commands via the functionName || 2021-05-07 10 MISC 
parameter. MISC 
An issue was discovered on Tenda AC11 devices with firmware 
: through 02.03.01.104_ CN. A stack buffer overflow vulnerability in CVE-2021-31758 
renders etd uniwiare /goform/setportList allows attackers to execute arbitrary code on etal Oe 10 MISC 
the system via a crafted post request. 
An issue was discovered on Tenda AC11 devices with firmware 
: through 02.03.01.104_ CN. A stack buffer overflow vulnerability in CVE-2021-31757 
tendat-2e7 | _iimware /goform/setVLAN allows attackers to execute arbitrary code on the ra ae 10 MISC 
system via a crafted post request. 
An issue was discovered on Tenda AC11 devices with firmware 
through 02.03.01.104_CN. A stack buffer overflow vulnerability in 
: /gofrom/setwanType allows attackers to execute arbitrary code on CVE-2021-31756 
handel sac hl _iimnware the system via a crafted post request. This occurs when input eel ar 10 MISC 
vector controlled by malicious attack get copied to the stack 
variable. 
An issue was discovered on Tenda AC11 devices with firmware 
ianda 4041 aware through 02.03.01.104_CN. A stack buffer overflow vulnerability in 2021-05-07 10 CVE-2021-31755 














system via a crafted post request. 
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Primary Pere : Cvss Source & Patch 
Vendor -- Product Desenpelor Published Score Info 
NoneCMS v1.3 has a CSRF vulnerability in 
public/index.php/admin/nav/add.html, as demonstrated by adding CVE-2020-23376 
5none -- nonecms a navigation column which can be injected with arbitrary web 2021-05-10 4.3 MISC..OC~—S 
script or HTML via the name parameter to launch a stored XSS (peers 
attack. 
Cross-site scripting (XSS) vulnerability in 
_ static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf| 05. CVE-2020-23371 
Snipne “neneeMs in noneCms v1.3.0 allows remote attackers to inject arbitrary web eoene te 43 MISC 
script or HTML via the movieName parameter. 
CVE-2021-32100 
; A remote file inclusion vulnerability exists in Artica Pandora FMS MISC 
alice: ipandota Jims 742, exploitable by the lowest privileged user. elcid 4 isc 
MISC 
Affected versions of Confluence Server before 7.11.0 allow CVE-2020-29445 
atlassian -- confluence attackers to identify internal hosts and ports via a blind server-side || 2021-05-07 4 — 
request forgery vulnerability in Team Calendars parameters. —— 
CVE-2021-32470 
craftcms -- craft_cms Craft CMS before 3.6.13 has an XSS vulnerability. 2021-05-07 MISC 


MISC 








eng -- knowage 


script in '/servlet/AdapterHTTP' via the 'targetService' parameter. 


Knowage Suite 7.3 is vulnerable to unauthenticated reflected 
cross-site scripting (XSS). An attacker can inject arbitrary web 


2021-05-12 


CVE-2021-30213 
MISC 





eventlet -- eventlet 


Eventlet is a concurrent networking library for Python. A 
websocket peer may exhaust memory on Eventlet side by sending 
very large websocket frames. Malicious peer may exhaust 
memory on Eventlet side by sending highly compressed data 
frame. A patch in version 0.31.0 restricts websocket frame to 
reasonable limits. As a workaround, restricting memory usage via 
OS limits would help against overall machine exhaustion, but 
there is no workaround to protect Eventlet process. 


2021-05-07 


ES 
kis 


CVE-2021-21419 
CONFIRM 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to disclose sensitive 
information on affected installations of Foxit Reader 10.1.1.37576. 
User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file. The 
specific flaw exists within the handling of U3D objects embedded 
in PDF files. The issue results from the lack of proper validation of 
user-supplied data, which can result in a read past the end of an 
allocated object. An attacker can leverage this in conjunction with 
other vulnerabilities to execute arbitrary code in the context of the 
current process. Was ZDI-CAN-13273. 


2021-05-07 


CVE-2021-31448 
MISC 
MISC 





foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of Annotation objects. The issue 
results from the lack of validating the existence of an object prior 
to performing operations on the object. An attacker can leverage 
this vulnerability to execute code in the context of the current 
process. Was ZDI-CAN-13101. 


2021-05-07 


CVE-2021-31441 
MISC 
MISC 





foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of Annotation objects. The issue 
results from the lack of validating the existence of an object prior 
to performing operations on the object. An attacker can leverage 
this vulnerability to execute code in the context of the current 
process. Was ZDI-CAN-13089. 


2021-05-07 


CVE-2021-31451 
MISC 
MISC 





foxitsoftware -- foxit_reader 











This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of U3D objects embedded in PDF 
files. The issue results from the lack of validating the existence of 
an object prior to performing further free operations on the object. 
An attacker can leverage this vulnerability to execute code in the 








context of the current process. Was ZDI-CAN-13280. 
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CVE-2021-31449 
MISC 
MISC 
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foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of U3D objects in PDF files. The 
issue results from the lack of proper validation of user-supplied 
data, which can result in a write past the end of an allocated data 
structure. An attacker can leverage this vulnerability to execute 
code in the context of the current process. Was ZDI-CAN-13239. 


2021-05-07 


CVE-2021-31442 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to disclose sensitive 
information on affected installations of Foxit Reader 10.1.1.37576. 
User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file. The 
specific flaw exists within the handling of U3D objects embedded 
in PDF files. The issue results from the lack of proper validation of 
user-supplied data, which can result in a read past the end of an 
allocated object. An attacker can leverage this in conjunction with 
other vulnerabilities to execute arbitrary code in the context of the 
current process. Was ZDI-CAN-13240. 


2021-05-07 


CVE-2021-31443 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to disclose sensitive 
information on affected installations of Foxit Reader 10.1.1.37576. 
User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file. The 
specific flaw exists within the handling of U3D objects embedded 
in PDF files. The issue results from the lack of proper validation of 
user-supplied data, which can result in a read past the end of an 
allocated object. An attacker can leverage this in conjunction with 
other vulnerabilities to execute arbitrary code in the context of the 
current process. Was ZDI-CAN-13241. 


2021-05-07 


CVE-2021-31444 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to disclose sensitive 
information on affected installations of Foxit Reader 10.1.1.37576. 
User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file. The 
specific flaw exists within the handling of U3D objects embedded 
in PDF files. The issue results from the lack of proper validation of 
user-supplied data, which can result in a read past the end of an 
allocated object. An attacker can leverage this in conjunction with 
other vulnerabilities to execute arbitrary code in the context of the 
current process. Was ZDI-CAN-13244. 


2021-05-07 


CVE-2021-31445 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to disclose sensitive 
information on affected installations of Foxit Reader 10.1.1.37576. 
User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file. The 
specific flaw exists within the handling of U3D objects embedded 
in PDF files. The issue results from the lack of proper validation of 
user-supplied data, which can result in a read past the end of an 
allocated object. An attacker can leverage this in conjunction with 
other vulnerabilities to execute arbitrary code in the context of the 
current process. Was ZDI-CAN-13245. 


2021-05-07 


CVE-2021-31446 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to disclose sensitive 
information on affected installations of Foxit Reader 10.1.1.37576. 
User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file. The 
specific flaw exists within the handling of U3D objects embedded 
in PDF files. The issue results from the lack of proper validation of 
user-supplied data, which can result in a read past the end of an 
allocated object. An attacker can leverage this in conjunction with 
other vulnerabilities to execute arbitrary code in the context of the 
current process. Was ZDI-CAN-13269. 


2021-05-07 


CVE-2021-31447 
MISC 
MISC 








foxitsoftware -- foxit_reader 








This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of XFA forms. The issue results 
from the lack of validating the existence of an object prior to 
performing operations on the object. An attacker can leverage this 
vulnerability to execute code in the context of the current process. 





Was ZDI-CAN-13084. 








2021-05-07 








CVE-2021-31450 
MISC 
MISC 
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foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of XFA forms. The issue results 
from the lack of validating the existence of an object prior to 
performing operations on the object. An attacker can leverage this 
vulnerability to execute code in the context of the current process. 
Was ZDI-CAN-13100. 


2021-05-07 


CVE-2021-31455 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of the Decimal element. A crafted 
leadDigits value in a Decimal element can trigger an overflow of a 
fixed-length heap-based buffer. An attacker can leverage this 
vulnerability to execute arbitrary code in the context of the current 
process. Was ZDI-CAN-13095. 


2021-05-07 


CVE-2021-31454 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of XFA Forms. The issue results 
from the lack of validating the existence of an object prior to 
performing operations on the object. An attacker can leverage this 
vulnerability to execute code in the context of the current process. 
Was ZDI-CAN-13092. 


2021-05-07 


CVE-2021-31453 
MISC 
MISC 








foxitsoftware -- foxit_reader 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of XFA forms. The issue results 
from the lack of proper validation of user-supplied data, which can 
result in a write past the end of an allocated data structure. An 
attacker can leverage this vulnerability to execute code in the 
context of the current process. Was ZDI-CAN-13091. 


2021-05-07 


CVE-2021-31452 
MISC 
MISC 








foxitsoftware -- phantompdf 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of Annotation objects. The issue 
results from the lack of validating the existence of an object prior 
to performing operations on the object. An attacker can leverage 
this vulnerability to execute code in the context of the current 
process. Was ZDI-CAN-13102. 


2021-05-07 


CVE-2021-31456 
MISC 
MISC 








foxitsoftware -- phantompdf 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the the handling of app.media objects. The issue 
results from the lack of proper validation of user-supplied data, 
which can result in a type confusion condition. An attacker can 
leverage this vulnerability to execute code in the context of the 
current process Was ZDI-CAN-13333. 


2021-05-07 


CVE-2021-31461 
MISC 
MISC 








foxitsoftware -- phantompdf 


This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the processing of XFA templates. The issue 
results from the lack of validating the existence of an object prior 
to performing operations on the object. An attacker can leverage 
this vulnerability to execute code in the context of the current 
process. Was ZDI-CAN-13096. 


2021-05-07 


CVE-2021-31460 
MISC 
MISC 








foxitsoftware -- phantompdf 








This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific 
flaw exists within the handling of XFA Forms. The issue results 
from the lack of validating the existence of an object prior to 
performing operations on the object. An attacker can leverage this 
vulnerability to execute code in the context of the current process. 
Was ZDI-CAN-13162. 











2021-05-07 








CVE-2021-31459 
MISC 
MISC 
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login.wihtm, or login-form.htm. 

















MISC 


Primary ae P Cvss Source & Patch 
Vendor -- Product Bescnprion Published Score Info 
This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific CVE-2021-31458 
foxitsoftware -- phantompdf flaw exists within the handling of Annotation objects. The issue 2021-05-07 6.8 MISC 
results from the lack of validating the existence of an object prior MISC 
to performing operations on the object. An attacker can leverage 
this vulnerability to execute code in the context of the current 
process. Was ZDI-CAN-13150. 
This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of Foxit Reader 10.1.1.37576. User 
interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file. The specific CVE-2021-31457 
foxitsoftware -- phantompdf flaw exists within the handling of Annotation objects. The issue 2021-05-07 6.8 MISC 
results from the lack of validating the existence of an object prior MISC 
to performing operations on the object. An attacker can leverage 
this vulnerability to execute code in the context of the current 
process. Was ZDI-CAN-13147. 
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 as 
Rashicars ~ Vaultaction allows attackers to obtain sensitive information from log files 2021-05-07 5 MISC 
P because a multi-line secret was not correctly registered with = MISC 
GitHub Actions for log masking. MISC 
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow 
ibm<<cloud. pak for ‘Securit a user to obtain sensitive information or perform actions they 2021-05-10 6.4 en ee 
—Pak_for_ y should not have access to due to incorrect authorization —- CONFIRM 
mechanisms. IBM X-Force ID: 198919. ———— 
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 is 
vulnerable to cross-site scripting. This vulnerability allows users to CVE-2021-20577 
ibm -- cloud_pak_for_security embed arbitrary JavaScript code in the Web UI thus altering the 2021-05-10 4.3 CONFIRM 
intended functionality potentially leading to credentials disclosure XF 
within a trusted session. IBM X-Force ID: 199281. 
IBM OpenPages GRC Platform 8.1 could allow a remote attacker 
ito obtain sensitive information when a detailed technical error CVE-2020-4536 
ibm -- openpages_grc_platform message is returned in the browser. This information could be 2021-05-11 4 CONFIRM 
used in further attacks against the system. IBM X-Force ID: XF 
182907. 
IBM Robotic Process Automation with Automation Anywhere 11.0 CVE-2020-4901 
ibm -- could allow an attacker on the network to obtain sensitive 2021-05-07 6.4 CONFIRM. 
robotic_process_automation_with_allitdoratiatioranywaese a denial of service through username — eS 
enumeration. IBM X-Force ID: 190992. ra 
Jenkins Credentials Plugin 2.3.18 and earlier does not escape CVE-2021-21648 
jenkins -- credentials user-controlled information on a view it provides, resulting in a 2021-05-11 4.3 CONFIRM 
reflected cross-site scripting (XSS) vulnerability. ee 
ee re In JetBrains IntelliJ IDEA before 2021.1, DoS was possible rer . 
) I because of unbounded resource allocation. = MISC 
‘athrairis's teanicit In JetBrains TeamCity before 2020.2.2, audit logs were not 2021-05-11 4 nee 
! y sufficient when an administrator uploaded a file. 7 MISC 
lsthraingceteamelt In JetBrains TeamCity before 2020.2.2, permission checks for 2021-05-11 5 ae 
! y changing TeamCity plugins were implemented improperly. = MISC 
. F CVE-2021-31911 
jjetbrains -- teamcity ee eee 2020.2.3, reflected XSS was 2024-05-11 43 MISC 
P peges: MISC 
: ; F CVE-2021-31904 
jjetbrains -- teamcity ee XSS was potentially 2024-05-11 43 MISC 
p ry page. MISC 
: : ; : CVE-2021-31905 
F ; In JetBrains YouTrack before 2020.6.8801, information disclosure 
jetbrains -- youtrack in an issue preview was possible 2021-05-11 5 MISC 
i MISC 
CVE-2021-32399 
: F net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has MISC 
Heibbess Tinie ome a race condition for removal of the HCI controller. anette 44 MISC 
MLIST 
so : : CVE-2021-26122 
livinglogic -- xist4c uae coir before 0.107.8 allows XSS via feedback.htm 2021-05-07 43 MISC 
: . MISC 
a3 F , : CVE-2021-26123 
livinglogic -- xist4c LivingLogic XIST4C before 0.107.8 allows XSS via login.htm, 2021-05-07 | 43 MISC 
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openclinic_ga 








attacker can make an authenticated HTTP request to trigger this 





Vulnerability. 














MISC 


Primary ae P Cvss Source & Patch 
Vendor -- Product Besenpron Published | Score Info 
Windows Container Manager Service Elevation of Privilege CVE-2021-31168 
microsoft -- windows_10 Vulnerability This CVE ID is unique from CVE-2021-31165, CVE- 2021-05-11 4.6 IN/A 
2021-31167, CVE-2021-31169, CVE-2021-31208. MISC 
microsoft -- windows_10 Hyper-V Remote Code Execution Vulnerability 2021-05-11 | BS oo 
: . . a a CVE-2021-31170 
. mer Windows Graphics Component Elevation of Privilege Vulnerability 5. i ad 
ileal Windows This CVE ID is unique from CVE-2021-31188. ee | a 
Windows Container Manager Service Elevation of Privilege CVE-2021-31169 
microsoft -- windows_10 Vulnerability This CVE ID is unique from CVE-2021-31165, CVE- 2021-05-11 4.6 IN/A 
2021-31167, CVE-2021-31168, CVE-2021-31208. MISC 
Windows Container Manager Service Elevation of Privilege CVE-2021-31165 
microsoft -- windows_10 Vulnerability This CVE ID is unique from CVE-2021-31167, CVE- 2021-05-11 4.6 IN/A 
2021-31168, CVE-2021-31169, CVE-2021-31208. MISC 
Windows Container Manager Service Elevation of Privilege CVE-2021-31167 
microsoft -- windows_10 Vulnerability This CVE ID is unique from CVE-2021-31165, CVE- 2021-05-11 4.6 IN/A 
2021-31168, CVE-2021-31169, CVE-2021-31208. MISC 
Nim is a statically typed compiled systems programming 
language. In Nim standard library before 1.4.2, httpClient SSL/TLS CVE-2021-29495 
nim-lang -- nim certificate verification was disabled by default. Users can upgrade || 2021-05-07 5 CONFIRM 
ito version 1.4.2 to receive a patch or, as a workaround, set _——— 
"verifyMode = CVerifyPeer" as documented. 
A Cross-site scripting (XSS) vulnerability in the DocumentAction 
: component of U.S. National Security Agency (NSA) Emissary CVE-2021-32092 
nsa -- emissary ae ‘ ; 2021-05-07 4.3 MISC 
5.9.0 allows remote attackers to inject arbitrary web script or MISC 
HTML via the uuid parameter. ere 
The ConfigFileAction component of U.S. National Security Agency CVE-2021-32093 
nsa -- emissary (NSA) Emissary 5.9.0 allows an authenticated user to read 2021-05-07 4 MISC 
arbitrary files via the ConfigName parameter. MISC 
; U.S. National Security Agency (NSA) Emissary 5.9.0 allows an CVE-2021-32094 
nsa -- emissary F F : 2021-05-07 6.5 MISC 
authenticated user to upload arbitrary files. MISC 
: U.S. National Security Agency (NSA) Emissary 5.9.0 allows an CVE-2021-32095 
nsa -- emissary : ; ; 2021-05-07 5.5 MISC 
authenticated user to delete arbitrary files. MISC 
The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect CVE-2021-32101 
access control system in portal/patient/_machine_config.php. To MSC..OOC~C~™S 
exploit the vulnerability, an unauthenticated attacker can register hares 
open-emr -- openemr : ae ; : 2021-05-07 6.4 MISC 
an account, bypassing the permission check of this portal's API. MISC 
‘Then, the attacker can then manipulate and read data of every Ra eErS. 
: , MISC 
registered patient. 
CVE-2021-32104 
MISC 
A SQL injection vulnerability exists (with user privileges) in MISC 
ppt ORee interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. ee oe 6.5 MISC 
MISC 
MISC 
CVE-2021-32102 
MISC 
7 7 A SQL injection vulnerability exists (with user privileges) in OR, MISC 
Spenser Op snen library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. eee oeae £5 MISC 
MISC 
MISC 
An exploitable SQL injection vulnerability exists in 
_ Sie. ‘listtmmoLabels.jsp’ page of OpenClinic GA 5.173.3 application. : . 
ee ‘The immoCode parameter in the ‘listtmmoLabels.jsp’ page is 2021-05-11 6.5 ell 
P 9 vulnerable to authenticated SQL injection. An attacker can make anaes 
an authenticated HTTP request to trigger this vulnerability. 
A number of exploitable SQL injection vulnerabilities exists in 
a Se ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The - ? 
Saat a aia findSector parameter in “patientslist.do’ page is vulnerable to 2021-05-10 6.5 ae 
P 9 authenticated SQL injection An attacker can make an (races: 
authenticated HTTP request to trigger this vulnerability. 
A number of exploitable SQL injection vulnerabilities exists in 
a ee ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The ‘ . 
Senet a aia findDistrict parameter in “patientslist.do’ page is vulnerable to 2021-05-10 6:5. wee 
P 9 authenticated SQL injection. An attacker can make an ies 
authenticated HTTP request to trigger this vulnerability. 
An exploitable SQL injection vulnerability exists in 
gi ee ‘manageServiceStocks.jsp’ page of OpenClinic GA 5.173.3. A - : 
epenclinic_da_prajes specially crafted HTTP request can lead to SQL injection. An 2021-05-10 6.5 ee 
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Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, 
Snapdragon Wearables 

















Primary ae P Cvss Source & Patch 
Vendor -- Product Bescmpilon Pubilehed Score Info 
An exploitable SQL injection vulnerability exists in 
— : ‘listtmmoLabels.jsp’ page of OpenClinic GA 5.173.3 application. 
ee i ‘The immoLocation parameter in the ‘listImmoLabels.jsp’ page is 2021-05-11 6.5 oo 
P 9 vulnerable to authenticated SQL injection. An attacker can make ———— 
an authenticated HTTP request to trigger this vulnerability. 
An exploitable SQL injection vulnerability exists in 
oa ‘ ‘listtmmoLabels.jsp’ page of OpenClinic GA 5.173.3 application. 
Seen c-ga—Project a The immoService parameter in the ‘listimmoLabels.jsp’ page is 2021-05-11 6:5 oo 
P 9 vulnerable to authenticated SQL injection. An attacker can make ———= 
an authenticated HTTP request to trigger this vulnerability. 
An exploitable SQL injection vulnerability exists in 
a ‘ ‘listtmmoLabels.jsp’ page of OpenClinic GA 5.173.3 application. 
ee a ‘The immoComment parameter in the ‘listImmoLabels.jsp’ page is || 2021-05-11 6.5 1 earn 
P 9 vulnerable to authenticated SQL injection. An attacker can make ——— 
an authenticated HTTP request to trigger this vulnerability. 
An exploitable SQL injection vulnerability exists in 
oe : ‘listtmmoLabels.jsp’ page of OpenClinic GA 5.173.3 application. 
ish ie a ha 7 ‘The immoBuyer parameter in the ‘listImmoLabels.jsp’ page is 2021-05-11 6.5 oo 
P 9 vulnerable to authenticated SQL injection. An attacker can make es 
an authenticated HTTP request to trigger this vulnerability. 
An exploitable SQL injection vulnerability exists in ‘quickFile.jsp’ 
openclinic_ga_project -- page of OpenClinic GA 5.173.3. A specially crafted HTTP request 2021-05-10 65 CVE-2020-27226 
openclinic_ga can lead to SQL injection. An attacker can make an authenticated sar MISC 
HTTP request to trigger this vulnerability. 
A number of exploitable SQL injection vulnerabilities exists in 
sg ee ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The . : 
ae al findPerson|ID parameter in “patientslist.do’ page is vulnerable to 2021-05-10 65 wee 
P 9 authenticated SQL injection. An attacker can make an ai 
authenticated HTTP request to trigger this vulnerability. 
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower 
is affected by a token spoofing vulnerability. Each payment 
terminal has a session token (called X-Terminal-Token) to access 
the marketplace. This allows the store to identify the terminal and 
make available the applications distributed by its reseller. By ae 
paxtechnology -- paxstore intercepting HTTPS traffic from the application store, itis possible || 2021-05-07 6.4 MISC 
ito collect the request responsible for assigning the X-Terminal- MISC 
‘Token to the terminal, which makes it possible to craft an X- =< 
‘Terminal-Token pretending to be another device. An attacker can 
use this behavior to authenticate its own payment terminal in the 
application store through token impersonation. 
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower CVE-2020-36125 
is affected by incorrect access control where password MISC 
Pamachnolegy = persion revalidation in sensitive operations can be bypassed remotely by eon a ee 5.5 MISC 
an authenticated attacker through requesting the endpoint directly. MISC 
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower 
is affected by incorrect access control that can lead to remote 
privilege escalation. PAXSTORE marketplace endpoints allow an CVE-2020-36126 
authenticated user to read and write data not owned by them, MISC 
paxtechnology -- paxstore including third-party users, application and payment terminals, al 5.5 MISC 
where an attacker can impersonate any user which may lead to MISC 
the unauthorized disclosure, modification, or destruction of 
information. 
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower 
is affected by XML External Entity (XXE) injection. An oe 
paxtechnology -- paxstore authenticated attacker can compromise the private keys of a JWT || 2021-05-07 4 MISC 
token and reuse them to manipulate the access tokens to access MISC 
the platform as any desired user (clients and administrators). er 
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower 
is affected by an information disclosure vulnerability. Through the 
PUK signature functionality, an administrator will not have access 
to the current p12 certificate and password. When accessing this oo 
paxtechnology -- paxstore functionality, the administrator has the option to replace the 2021-05-07 4 MISC 
current certificate and it is not possible to view the certificate MISC 
password (p12) already deployed on the platform. The == 
replacement p12 certificate returns to users in base64 with its 
password, which can be accessed by non-administrator users. 
Potential UE reset while decoding a crafted Sib1 or SIB1 that CVE-2020-11268 
qualcomm -- apq8009 schedules unsupported SIBs and can lead to denial of service in 2021-05-07 a === 27) el 
: CONFIRM 
Snapdragon Auto, Snapdragon Mobile 
Out of bound write in logger due to prefix size is not validated 
while prepended to logging string in Snapdragon Auto, CVE-2020-11294 
qualcomm -- ar8035_ firmware Snapdragon Compute, Snapdragon Connectivity, Snapdragon 2021-05-07 46 aoa 


CONFIRM 
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IFRAME element because of using UEditor 1.4.3.3. 














MISC 


Primary are P Cvss Source & Patch 
Vendor -- Product Bescmpron eubiiehed Score Info 
Use after free in camera If the threadmanager is being cleaned up 
: while the worker thread is processing objects in Snapdragon Auto, CVE-2020-11295 
Gualcomm<:femitto9 kmnete Snapdragon Compute, Snapdragon Connectivity, Snapdragon sala al 46 CONFIRM 

Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile 

An issue was discovered in Emote Remote Mouse through 
Hermoremouse ce 4.0.0.0. It uses cleartext HTTP to check, and request, updates. CVE-2021-27574 
amote remote iouse Thus, attackers can machine-in-the-middle a victim to download a || 2021-05-07 6.8 MISC 

= = malicious binary in place of the real update, with no SSL errors or MISC 

warnings. 

An issue was discovered in Emote Remote Mouse through 
remotemouse -- 4.0.0.0. Attackers can retrieve recently used and running ie eee Lela 

paler ae fae hee Be 2021-05-07 5 MISC 
emote_remote_mouse applications, their icons, and their file paths. This information is MISC 

sent in cleartext and is not protected by any authentication logic. eran 

An issue was discovered in Emote Remote Mouse through 
ramoteniolse:: 4.0.0.0. Attackers can maximize or minimize the window of a CVE-2021-27569 

running process by sending the process name in a crafted packet. -05- 5 
emiile KerOre. imeuse i b ding th i fted ket. || 2021-05-07 5 MISC 

= = This information is sent in cleartext and is not protected by any MISC 
authentication logic. 

An issue was discovered in Emote Remote Mouse through 3.015. CVE-2021-27570 
remotemouse -- Attackers can close any running process by sending the process 2021-05-07 5 MISC. 
emote_remote_mouse name in a specially crafted packet. This information is sent in i MISC 

cleartext and is not protected by any authentication logic. pears 

F ie 2 Spd P CVE-2021-32091 
stacklift -- localstack A Cross-site scripting (XSS) vulnerability exists in StackLift 2021-05-07 43 MISC 

LocalStack 0.12.6. MISC 

In YzmCMS 5.6, XSS was discovered in 
yzmcms -- yzmcms member/member_content/init.html via the SRC attribute of an 2021-05-10 | 4.3 CVE-2020-23369 




















Back to top 


Low Vulnerabilities 





Primary 
Vendor -- Product 


Description 


Published 


Source & Patch 


Info 








Cross-site scripting (XSS) vulnerability in admin/nav/add.html in 


CVE-2020-23373 









































inject malicious JavaScript and carry out DOM-based XSS (Cross- 





site scripting) attacks. 














5none -- nonecms noneCMS v1.3.0 allows remote authenticated attackers to inject 2021-05-10 3:5 MISC 
arbitrary web script or HTML via the name parameter. Fates 
Cross-site scripting (XSS) vulnerability in admin/article/add.html in CVE-2020-23374 
5none -- nonecms noneCMS v1.3.0 allows remote authenticated attackers to inject 2021-05-10 25 ia °C 
arbitrary web script or HTML via the name parameter. Pee 
Affected versions of Team Calendar in Confluence Server before 
: 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a CVE-2020-29444 
aassiat > cannivence Cross Site Scripting Vulnerability in admin global setting eel aot a2 IN/A 
parameters. 
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting 
(XSS). An attacker can inject arbitrary web script in CVE-2021-30211 
eng — knowage '/knowage/restful-services/signup/update' via the 'surname' eevee: 35 MISC 
parameter. 
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting 
- (XSS). An attacker can inject arbitrary web script in “05. CVE-2021-30212 
a a ‘/knowage/restful-services/documentnotes/saveNote' via the ‘nota’ evet OS Ve 3.5 MISC 
parameter. 
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template CVE-2021-30214 
eng -- knowage Injection in '/knowage/restful-services/signup/update' via the 2021-05-12 3.5 MSC. .OCOCS~™S 
‘name’ parameter. ieee 
IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site 
scripting. This vulnerability allows users to embed arbitrary CVE-2021-20559 
ibm -- control_desk JavaScript code in the Web UI thus altering the intended 2021-05-10 3.8 CONFIRM 
functionality potentially leading to credentials disclosure within a XE 
trusted session. IBM X-Force ID: 199228. 
IBM OpenPages GRC Platform 8.1 is vulnerable to cross-site 
scripting. This vulnerability allows users to embed arbitrary CVE-2020-4535 
ibm -- openpages_grc_platform JavaScript code in the Web UI thus altering the intended 2021-05-11 3.5 CONFIRM 
functionality potentially leading to credentials disclosure within a XE 
trusted session. IBM X-Force ID: 182906. 
Special characters of IGT search function in igt+ are not filtered in 
igt_project -- igt specific fields, which allow remote authenticated attackers can 2021-05-11 35 CVE-2021-32544 


CONFIRM 
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Primary ae P Cvss Source & Patch 
Vendor -- Product Bescnpton Published | Score Info 
Jenkins Dashboard View Plugin 2.15 and earlier does not escape 
ere : URLs referenced in Image Dashboard Portlets, resulting in a CVE-2021-21649 
pening <= geno ate view stored cross-site scripting (XSS) vulnerability exploitable by ei 35 CONFIRM 
attackers with View/Configure permission. 
istoraing«teameit In JetBrains TeamCity before 2020.2.2, stored XSS on a tests 2021-05-11 3.5 wae 
! y page was possible. oa MISC 
‘etbrains <= tearicit In JetBrains TeamCity before 2020.2.3, stored XSS was possible 2021-05-11 3.5 (eo 
! y on several pages. —— MISC 
Special characters of ERP POS customer profile page are not 
F filtered in users’ input, which allow remote authenticated attackers 
fells resource planning point|¢2" inject yaugious JavaScript and carry out stored XSS (Stored 2021-05-07 3:3 oe 
prise_ -P OPO eRe SHOS ripting) attacks, additionally access and manipulate hearer 
customer’s information. 
Special characters of ERP POS news page are not filtered in 
F = users’ input, which allow remote authenticated attackers can inject is : 
ce Pasollice “planning peint ic RSC mae and carry out stored XSS (Stored Cross-site |} 2021-05-07 35 eo 
prise_ —P g_pointe iBtlig) MALERs, additionally access and manipulate customer’s imei 
information. 
Special characters of picture preview page in the Quan-Fang-Wei- 
F ‘Tong-Xun system are not filtered in users’ input, which allow 
poe aia SOmMmuUnIcatiOn:S s(egmote authenticated attackers can inject malicious JavaScript 2021-05-07 3.5 oo 
= SySteny carry out Reflected XSS (Cross-site scripting) attacks, a 
additionally access and manipulate customer’s information. 
microsoft -- windows_10 Windows CSC Service Information Disclosure Vulnerability 2021-05-11 a fo 
A Stored XSS vulnerability in co 
7 _ interface/usergroup/usergroup_admin.php in OpenEMR before 05. Ferns 
SPER Sen Op Sten 5.0.2.1 allows a admin authenticated user to inject arbitrary web eee == ee 
script or HTML via the Iname parameter. MISC 
Improper handling of address deregistration on failure can lead to 
new GPU address allocation failure. in Snapdragon Auto, CVE-2021-1906 
qualcomm -- apq8009_ firmware Snapdragon Compute, Snapdragon Connectivity, Snapdragon 2021-05-07 2 CONFIRM 
Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, ——= 
Snapdragon Voice & Music, Snapdragon Wearables 
Out of bound read can happen in Widevine TA while copying data 
ito buffer from user data due to lack of check of buffer length 
received in Snapdragon Auto, Snapdragon Compute, Snapdragon CVE-2020-11293 
qualcomm -- apq8017_ firmware Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial 2021-05-07 3.8 CONFIRM 
IOT, Snapdragon loT, Snapdragon Mobile, Snapdragon Voice & aot ee 
Music, Snapdragon Wearables, Snapdragon Wired Infrastructure 
and Networking 
Memory corruption during buffer allocation due to dereferencing 
session ctx pointer without checking if pointer is valid in CVE-2020-11254 
qualcomm-=pmetoda Snapdragon Auto, Snapdragon Compute, Snapdragon ere ome 24 CONFIRM 
Connectivity, Snapdragon Mobile 
In YzmCMS 5.6, stored XSS exists via the 
As common/static/plugin/ueditor/1.4.3.3/php/controller.php action OF. CVE-2020-23370 
Pe ees parameter, which allows remote attackers to upload a swf file. The ecele 1) 3.5 MISC 
swf file can be injected with arbitrary web script or HTML. 
Back to top 
Severity Not Yet Assigned 
Primary Sasa . Cvss Source & Patch 
Vendor -- Product Desenipelory Published | Score Info 
101 -- 104 Prototype pollution vulnerability in '101' versions 1.0.0 through not vet CVE-2021-25943 
1.6.3 allows an attacker to cause a denial of service and may lead || 2021-05-14 Ba ahha MISC 
to remote code execution. MISC 
adensia = eniratedeskto Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the notvet CVE-2021-3003 
9 = P ijws.agenziaentrate.it server over cleartext HTTP, which allows 2021-05-10 eieica MISC 
man-in-the-middle attackers to spoof product updates. MISC 
An issue was discovered in the ALFA Windows 10 driver 
6.1316.1209 for AWUSO36H. The Wi-Fi implementation does not CVE-2020-26141 
alfa -- windows_10_driver verify the Message Integrity Check (authenticity) of fragmented 2021-05-11 not yet MISC 
TKIP frames. An adversary can abuse this to inject and possibly calculated |MISC 
decrypt packets in WPA or WPA2 networks that support the TKIP MLIST 











data-confidentiality protocol. 
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affected versions are before version 8.5.13, from version 8.6.0 








before 8.13.5, and from version 8.14.0 before 8.15.1. 














Primary ae j Cvss Source & Patch 
Vendor -- Product Bescnpron eubiiehed Score Info 
An issue was discovered in the ALFA Windows 10 driver 
ge suindens dae: 1030.36.604 for AWUSO36ACH. The WEP, WPA, WPA2, and cate NRE 
SS WPA3 implementations accept fragmented plaintext frames in a 2021-05-11 y Peres 
ae : ae calculated ||MISC 
protected Wi-Fi network. An adversary can abuse this to inject MLIST 
arbitrary data frames independent of the network configuration. (cae 
An issue was discovered in the ALFA Windows 10 driver 
iis pinnae 6.1316.1209 for AWUSO36H. The WEP, WPA, WPA2, and WPA3 stick MAME 
aa implementations accept plaintext frames in a protected Wi-Fi 2021-05-11 aac MISC 
network. An adversary can abuse this to inject arbitrary data MLIST 
frames independent of the network configuration. ree 
In the AMD SEV/SEV-ES feature, memory can be rearranged in 
the guest address space that is not detected by the attestation 
amd -- sev/sev-es mechanism which could be used by a malicious hypervisor to 2021-05-13 not yet |CVE-2021-26311 
potentially lead to arbitrary code execution within the guest VM if a calculated |MISC 
malicious administrator has access to compromise the server 
hypervisor. 
The lack of nested page table protection in the AMD SEV/SEV-ES 
amd -- sev/sev-es feature could potentially lead to arbitrary code execution within the 2021-05-13 not yet ||CVE-2020-12967 
guest VM if a malicious administrator has access to compromise calculated |MISC 
the server hypervisor. 
ProtonMail Web Client is the official AngularJS web client for the 
‘ : ProtonMail secure email service. ProtonMail Web Client before CVE-2021-32816 
angular -- protonmail_web_client not yet 
SoS version 3.16.60 has a regular expression denial-of-service 2021-05-14 calculated MISC 
vulnerability. This was fixed in commit 6687fb. There is a full report CONFIRM 
available in the referenced GHSL-2021-027. 
= : A NULL pointer dereference vulnerability exists in eXcall_api.c in e 
annals 2ekoslpe /antisip eXosip2 through 5.2.0 when handling certain 3xx redirect | 2021-05-12 |) "orvet — 
responses. (aes 
CVE-2021-27737 
apache -- traffic_server Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack not yet MISC 
; ; : 2021-05-14 MLIST 
on the experimental Slicer plugin. calculated MLIST 
MLIST 
Exposure of System Data to an Unauthorized Control Sphere 
vulnerability in web UI of Argo CD allows attacker to cause leaked 
argo_ed — argo_cd secret data into web UI error messages and logs. This issue 2021-05-12 Pienaar oo 
affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to femmes 
1.7.14. 
‘The Arm Mali GPU kernel driver allows privilege escalation or a 
aR mall denial of service (memory corruption) because an unprivileged notvet CVE-2021-28664 
user can achieve read/write access to read-only pages. This 2021-05-10 erucea CONFIRM 
affects Bifrost rOp0 through r28p0 before r29p0, Valhall r19p0 MISC 
through r28p0 before r29p0, and Midgard r8p0 through r30p0. 
The Arm Mali GPU kernel driver allows privilege escalation or 
api imal information disclosure because GPU memory operations are not-vet CVE-2021-28663 
mishandled, leading to a use-after-free. This affects Bifrost rOp0 2021-05-10 Gruciea CONFIRM 
through r28p0 before r29p0, Valhall r19p0 through r28p0 before MISC 
r29p0, and Midgard r4p0 through r30p0. 
articlecms -- articlecms A file upload issue exists in all versions of ArticleCMS which 2021-05-13 not yet ||CVE-2020-28063 
allows malicious users to getshell. calculated ||MISC 
File Upload vulnerability exists in ArticleCMS 1.0 via the image 
articlecms -- articlecms upload feature at /admin by changing the Content-Type to 2021-05-13 not yet |CVE-2020-20092 
image/jpeg and placing PHP code after the JPEG data, which calculated |MISC 
could let a remote malicious user execute arbitrary PHP code. 
Broken Authentication in Atlassian Connect Spring Boot (ACSB) in 
version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: 
Atlassian Connect Spring Boot is a Java Spring Boot package for 
building Atlassian Connect apps. Authentication between 
Atlassian =conneet spring bast Atlassian products and the Atlassian Connect Spring Boot app fotvet CVE-2021-26077 
—Spring_ occurs with a server-to-server JWT or a context JWT. Atlassian 2021-05-10 Saiacea MISC 
Connect Spring Boot versions 1.1.0 before 2.1.3 and versions MISC 
2.1.4 before 2.1.5 erroneously accept context JWTs in lifecycle 
endpoints (such as installation) where only server-to-server JWTs 
should be accepted, permitting an attacker to send authenticated 
re-installation events to an app. 
Affected versions of Atlassian Jira Server and Data Center allow 
atlassian an unauthenticated user to enumerate users via an Information 
. ~ Disclosure vulnerability in the not yet ||CVE-2020-36289 
ire server_and datacenter QueryComponentRendererValue!Default.jspa endpoint. The evelte ie calculated ||MISC 
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aurelia -- htmlsanitizer 


The HTMLSanitizer class in html-sanitizer.ts in all released 
versions of the Aurelia framework 1.x repository is vulnerable to 
XSS. The sanitizer only attempts to filter SCRIPT elements, which 
makes it feasible for remote attackers to conduct XSS attacks via 
(for example) JavaScript code in an attribute of various other 
elements. An attacker might also exploit a bug in how the SCRIPT 
string is processed by splitting and nesting them for example. 


2021-05-13 


not yet 
calculated 


CVE-2019-10062 
MISC 
MISC 
MISC 





big-ip -- apm 


On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 


14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, 
and 11.6.x, an attacker may be able to bypass APM's internal 
restrictions and retrieve static content that is hosted within APM by 
sending specifically crafted requests to an APM Virtual Server. 
Note: Software versions which have reached End of Technical 
Support (EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 





CVE-2021-23016 
MISC 





big-ip -- apm 


On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x 


before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 
11.6.x., BIG-IP APM AD (Active Directory) authentication can be 
bypassed via a spoofed AS-REP (Kerberos Authentication Service 
Response) response sent over a hijacked KDC (Kerberos Key 
Distribution Center) connection or from an AD server 
compromised by an attacker. Note: Software versions which have 
reached End of Technical Support (EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 


CVE-2021-23008 
MISC 








big-ip -- asm/advanced/waf_system 


On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x 
before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 
12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes 
WebSocket requests with JSON payloads using the default JSON 
Content Profile in the ASM Security Policy, the BIG-IP ASM bd 
process may produce a core file. Note: Software versions which 
have reached End of Technical Support (EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 


CVE-2021-23010 
MISC 








big-ip -- big-ip 


On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 
14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing 
authorization checks for file uploads to a specific directory within 
the REST API which might allow Authenticated users with guest 
privileges to upload files. Note: Software versions which have 
reached End of Technical Support (EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 


CVE-2021-23014 
MISC 





big-ip -- big-ip 


On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 


14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input 
validation for items used in the system support functionality may 
allow users granted either "Resource Administrator" or 
"Administrator" roles to execute arbitrary bash commands on BIG- 
IP. Note: Software versions which have reached End of Technical 
Support (EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 


CVE-2021-23012 
MISC 





big-ip -- big-ip 


On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 


through 13.1.3.6, and all versions of 16.0.x, when running in 
Appliance Mode, an authenticated user assigned the 
‘Administrator’ role may be able to bypass Appliance Mode 
restrictions utilizing undisclosed iControl REST endpoints. Note: 
Software versions which have reached End of Technical Support 
(EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 





CVE-2021-23015 
MISC 





big-ip -- big-ip 


On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x 


before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 
11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet 
fragments for reassembly, the Traffic Management Microkernel 
(TMM) may consume an excessive amount of resources, 
eventually leading to a restart and failover event. Note: Software 
versions which have reached End of Technical Support (EoTS) 
are not evaluated. 


2021-05-10 


not yet 
calculated 


CVE-2021-23011 
MISC 








big-ip -- big-ip 


On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 
14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 
12.1.5.3, the Traffic Management Microkernel (TMM) may stop 
responding when processing Stream Control Transmission 
Protocol (SCTP) traffic under certain conditions. This vulnerability 
affects TMM by way of a virtual server configured with an SCTP 
profile. Note: Software versions which have reached End of 
‘Technical Support (EoTS) are not evaluated. 


2021-05-10 


not yet 
calculated 


CVE-2021-23013 
MISC 





big-ip -- big-ip 








On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 


15.1.3, malformed HTTP/2 requests may cause an infinite loop 
which causes a Denial of Service for Data Plane traffic. TMM 
takes the configured HA action when the TMM process is aborted. 
‘There is no control plane exposure, this is a data plane issue only. 
Note: Software versions which have reached End of Technical 
Support (EoTS) are not evaluated. 











2021-05-10 


not yet 
calculated 











CVE-2021-23009 
MISC 
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Bitcoin Core 0.12.0 through 0.21.1 does not properly implement 


the replacement policy specified in BIP125, which makes it easier 
for attackers to trigger a loss of funds, or a denial of service attack 





CVE-2021-31876 









































against downstream projects such as Lightning network nodes. An MISC 
bitcoin -- core unconfirmed child transaction with nSequence = Oxff_ff_ff_ff, 2021-05-13 not yet MISC 
spending an unconfirmed parent with nSequence <= Oxff_ff_ff_fd, calculated |MISC 
should be replaceable because there is inherited signaling by the MISC 
child transaction. However, the actual PreChecks implementation MISC 
does not enforce this. Instead, mempool rejects the replacement 
attempt of the unconfirmed child transaction. 
An Information Disclosure vulnerability in the Management 
Console component of BlackBerry UEM version(s) 12.13.1 QF2 not yet |CVE-2021-22154 
plackbeny-“uem and earlier and 12.12.1a QF6 and earlier could allow an attacker || 2027-05-13 | calculated MISC 
to potentially gain access to a victim's web history. 
[A Remote Code Execution vulnerability in the Management 
Console component of BlackBerry UEM version(s) 12.13.1 QF2 
blackberry -- uem and earlier and 12.12.1a QF6 and earlier could allow an attacker 2021-05-13 hot yet , pee masee terse 
: doy? calculated |MISC 
ito potentially cause the spreadsheet application to run commands 
on the victim’s local machine with the authority of the user. 
A Denial of Service due to Improper Input Validation vulnerability 
in the Management Console component of BlackBerry UEM 
blackberry — uem version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier || 2021-05-13 || _Notyet |CVE-2021-22152 
: calculated |MISC 
could allow an attacker to potentially to prevent any new user 
connections. 
An Authentication Bypass vulnerability in the SAML Authentication 
component of BlackBerry Workspaces Server (deployed with 
blackberry -- workspace_server a oo jiance-X) version(s) 10.1, 9.1 and earlier could allow an 2021-06-13 || notyet |evE-2021-22155 
: ‘ es calculated ||MISC 
attacker to potentially gain access to the application in the context 
of the targeted user’s account. 
A possible use-after-free and double-free in c-ares lib version os 
c-ares -- lib 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() notyet IIMiSC 
completing. This flaw possibly allows an attacker to crash the 2021-05-13 y Peprrss 
; : : : calculated |MISC 
service that uses c-ares lib. The highest threat from this MISC 
vulnerability is to this service availability. MISC 
chamilo -- chamilo admin/user_import.php in Chamilo 1.11.14 reads XML data not yet EME =2021-52925 
: ; : Pa Fe 2021-05-13 MISC 
without disabling the ability to load external entities. calculated MISC 
A SQL Injection vulnerability in get_topic_info() in oo 
sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows MISC 
codoforum -- codoforum remote attackers (pre-authentication) to bypass the admin page not yet [hae 
: : ; 2021-05-12 MISC 
via a leaked password-reset token of the admin. (As an admin, an calculated MISC 
attacker can upload a PHP shell and execute remote code on the MISC 
operating system.) MISC 
An issue was discovered in Couchbase Server before 6.0.5, 6.1.x 
couchbase_server -- through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user CVE-2021-25645 
eouchbasa. server with administrator privileges, @ns_ server, leaks credentials in 2021-05-10 not yet CONFIRM 
= cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, calculated MISC. 


indexer.log, and stats.log files. NOTE: updating the product does 
not automatically address leaks that occurred in the past. 





cyrus -- imap 


Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows 
remote authenticated users to bypass intended access restrictions 
on server annotations and consequently cause replication to stall. 


2021-05-10 





not yet 
calculated 


CVE-2021-32056 


CONFIRM 
CONFIRM 
CONFIRM 
CONFIRM 





dedecms -- dedecms 


DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a 


remote attacker to send a malicious request to to the web 
manager allowing remote code execution. 


2021-05-15 


not yet 
calculated 


CVE-2021-32073 


MISC 





dedecms -- dedecms 


A XSS Vulnerability in /uploads/dede/action_search.php in 
DedeCMS V5.7 SP2 allows an authenticated user to execute 
remote arbitrary code via the keyword parameter. 


2021-05-15 


not yet 
calculated 


CVE-2020-16632 


MISC 





deep-override -- deep-override 


Prototype pollution vulnerability in 'deep-override' versions 1.0.0 


through 1.0.1 allows an attacker to cause a denial of service and 
may lead to remote code execution. 


2021-05-14 


not yet 
calculated 


CVE-2021-25941 


MISC 
MISC 





delta_electronics -- 


Delta Electronics' CNCSoft ScreenEditor in versions prior to 





CVE-2021-22672 











: v1.01.30 could allow the corruption of data, a denial-of-service not yet 
chesoft_screeneditor condition, or code execution. The vulnerability may allow an 2021-09-10 calculated wean 
: MISC 
attacker to remotely execute arbitrary code. 
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 
deskpro = cloud _plator 2020-07-30 contains a cross-site scripting (XSS) vulnerability that || 2021-05-12 |} Motyet CVE-2020-28722 
: ’ calculated |MISC 
can lead to an account takeover via custom email templates. 
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dhcms -- dhcms 


An Information Disclosure vulnerability exists in dhcms 2017-09- 


18 when entering invalid characters after the normal interface, 


2021-05-12 


not yet 


CVE-2020-19275 




















the index. Certain queries are able to enable the profiler and 
suggester which could lead to disclosing the existence of 
documents and fields the attacker should not be able to view. 


which causes an error that will leak the physical path. calculated (MISC 
A Cross Slte Scripting (XSS) vulnerability exists in Dncms 2017- 
Ghani. quaet eal (09-18 in guestbook via the message board, which could let a 2021-05-12 || "otyet a 
remote malicious user execute arbitrary code. calculated |Misy 
Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows CVE-2021-20717 
accel beneeceube a remote attacker to inject a specially crafted script in the specific not yet MISC... 
input field of the EC web site which is created using EC-CUBE. As|} 2021-05-10 Peres 
: ; : : calculated |MISC 
a result, it may lead to an arbitrary script execution on the MISC 
administrator's web browser. as 
Elastic App Search versions after 7.11.0 and before 7.12.0 contain 
: an XML External Entity Injection issue (XXE) in the App Search 
peste app eae b ler beta feature. Using this vector, an attacker whose not yet ||CVE-2021-22140 
elastic_app_search ee a ee ee eee , bettas 2021-05-13 y 
= website is being crawled by App Search could craft a malicious calculated |MISC 
sitemap.xml to traverse the filesystem of the host running the 
instance and obtain sensitive files. 
Elasticsearch versions before 7.11.2 and 6.8.15 contain a 
document disclosure flaw was found in the Elasticsearch 
suggester and profile API when Document and Field Level 
elasticsearch -- elasticsearch Security are enabled. The suggester and profile API are normally 2021-05-13 not yet CVE-2021-22135 
disabled for an index when document level security is enabled on calculated |MISC 





In Elasticsearch versions before 7.11.2 and 6.8.15 a document 


disclosure flaw was found when Document or Field Level Security 
is used. Search queries do not properly preserve security 
























































elasticsearch -- elasticsearch permissions when executing certain cross-cluster search queries. 2021-05-13 not yet |CVE-2021-22137 
This could result in the search disclosing the existence of calculated |MISC 
documents the attacker should not be able to view. This could 
result in an attacker gaining additional insight into potentially 
sensitive indices. 
Exiv2 is a C++ library and a command-line utility to read, write, 
delete and modify Exif, IPTC, XMP and ICC image metadata. A 
read of uninitialized memory was found in Exiv2 versions v0.27.3 
and earlier. Exiv2 is a command-line utility and C++ library for 
Bxiv2=: exiv? reading, writing, deleting, and modifying the metadata of image 2021-05-13 not yet 1 nines 
files. The read of uninitialized memory is triggered when Exiv2 is calculated CONFIRM 
used to read the metadata of a crafted image file. An attacker ——— 
could potentially exploit the vulnerability to leak a few bytes of 
stack memory, if they can trick the victim into running Exiv2 ona 
crafted image file. The bug is fixed in version v0.27.4. 
Express-handlebars is a Handlebars view engine for Express. 
Express-handlebars mixes pure template data with engine 
configuration options through the Express render API. More 
specifically, the layout parameter may trigger file disclosure os an 
express -- handlebars vulnerabilities in downstream applications. This potential not yet MISC. 
vulnerability is somewhat restricted in that only files with existing 2021-05-14 éaiculated Se 
extentions (i.e. file.extension) can be included, files that lack an MISC 
extension will have .handlebars appended to them. For complete MISC 
details refer to the referenced GHSL-2021-018 report. Notes in rs 
documentation have been added to help users avoid this potential 
information exposure vulnerability. 
** DISPUTED ** The express-cart package through 1.1.10 for 
express-cart -- node.js Node.js allows Reflected XSS (for an admin) via a user input field 2021-05-11 not yet |CVE-2021-32573 
for product options. NOTE: the vendor states that this "would rely calculated |MISC 
on an admin hacking his/her own website." 
express-hbs is an Express handlebars template engine. express- 
hbs mixes pure template data with engine configuration options 
through the Express render API. More specifically, the layout 
parameter may trigger file disclosure vulnerabilities in downstream CVE-2021-32817 
exress -- express-hbs applications. This potential vulnerability is somewhat restricted in not yet MISC 
that only files with existing extentions (i.e. file.extension) can be 2021-05-14 calculated CONFIRM 
included, files that lack an extension will have .hbs appended to MISC 
them. For complete details refer to the referenced GHSL-2021- MISC 
019 report. Notes in documentation have been added to help 
users of express-hbs avoid this potential information exposure 
vulnerability. 
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition CVE-2021-32054 
firely -- spark headers in certain situations, which may cause crafted files to be 2021-05-14 not yet CONFIRM 
delivered to clients such that they are rendered directly in a calculated |CONFIRM 
victim's web browser. CONFIRM 
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The Flask-Caching extension through 1.10.1 for Flask relies on 


Pickle for serialization, which may lead to remote code execution 



































flask -- flask or local privilege escalation. If an attacker gains access to cache 2021-05-13 not yet |CVE-2021-33026 
storage (e.g., filesystem, Memcached, Redis, etc.), they can calculated |MISC 
construct a crafted payload, poison the cache, and execute 
Python code. 
An improper authorization handling flaw was found in Foreman. 
‘The Shellhooks plugin for the smart-proxy allows Foreman clients 
ito execute actions that should be limited to the Foreman Server. 
fOseMaa = oreman Sener This flaw allows an authenticated local attacker to access and 2021-05-12 not yet /CVE-2021-3457 
ae ‘ ‘ calculated |MISC 
delete limited resources and also causes a denial of service on 
ithe Foreman server. The highest threat from this vulnerability is to 
integrity and system availability. 
Cross Site Request Forgery (CSRF) Vulnerability in ForestBlog 
forestblog — forestblog latest version via the website Management background, which 2021-05-11 het yet |p eees ees 
nme pla Ae calculated |MISC 
could let a remote malicious gain privileges. 
F ; A privilege escalation vulnerability in FortiNAC version below 8.8.2 
fortinac — fortinac may allow an admin user to escalate the privileges to root by 2021-05-10 not yet" iaiecee eee 
; - calculated |CONFIRM 
abusing the sudo privileges. 
A use-after-free vulnerability exists in the JavaScript engine of 
Foxit Software’s PDF Reader, version 10.1.3.37598. A specially 
foxit -- pdf_reader crafted PDF document can trigger the reuse of previously free 2021-05-10 not yet CVE-2021-21822 
memory, which can lead to arbitrary code execution. An attacker calculated |MISC 


needs to trick the user into opening a malicious file or site to 


trigger this vulnerability if the browser plugin extension is enabled. 





The 802.11 standard that underpins Wi-Fi Protected Access 
(WPA, WPA2, and WPAS3) and Wired Equivalent Privacy (WEP) 





CVE-2020-24588 





























fragattacks -- wi- doesn't require that the A-MSDU flag in the plaintext QoS header 2021-05-11 not yet |MISC 
fi_protected_access field is authenticated. Against devices that support receiving non- calculated |MISC 
SSP A-MSDU frames (which is mandatory as part of 802.11n), an MLIST 
adversary can abuse this to inject arbitrary network packets. 
The 802.11 standard that underpins Wi-Fi Protected Access 
fragattacks — wi- (WPA, WPA2, and WPAS3) and Wired Equivalent Privacy (WEP) CVE-2020-24587 
fi_protected_access doesn't require that all fragments of a frame are encrypted under 2021-05-11 not yet MISC 
= = the same key. An adversary can abuse this to decrypt selected calculated |MISC 
fragments when another device sends fragmented frames and the MLIST 
WEP, CCMP, or GCMP encryption key is periodically renewed. 
The 802.11 standard that underpins Wi-Fi Protected Access 
(WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) CVE-2020-24586 
fragattacks -- wi- doesn't require that received fragments be cleared from memory nea 
fi_protected_access after (re)connecting to a network. Under the right circumstances 2021-05-11 not yet | (hist 
AP . re) g g calculated MISC 
when another device sends fragmented frames encrypted using IMLIST 
WEP, CCMP, or GCMP, this can be abused to inject arbitrary ——s 
network packets and/or exfiltrate user data. 
A UI misrepresentation vulnerability was identified in GitHub 
Enterprise Server that allowed more permissions to be granted 
during a GitHub App's user-authorization web flow than was 
displayed to the user during approval. To exploit this vulnerability, 
an attacker would need to create a GitHub App on the instance 
and have a user authorize the application through the web 
authentication flow. All permissions being granted would properly CVE-2021-22866 
github -- enterprise_server be shown during the first authorization, but in certain 2021-05-14 not yet CONFIRM 
circumstances, if the user revisits the authorization flow after the calculated CONFIRM 
GitHub App has configured additional user-level permissions, fpereeieerac—aes 
those additional permissions may not be shown, leading to more 
permissions being granted than the user potentially intended. This 
vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 
and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 
2.22.13. This vulnerability was reported via the GitHub Bug 
Bounty program. 
golo -- laravel An Arbitrary File Upload vulnerability was discovered in the Golo 2021-05-12 not yet oo 
Laravel theme v 1.1.5. ee calculated Iie 
GraphHopper is an open-source Java routing engine. In 
GrassHopper from version 2.0 and before version 2.4, there is a CVE-2021-29506 
graphhopper -- graphhopper regular expression injection vulnerability that may lead to Denial of 2021-05-13 not yet MISC 
Service. This has been patched in 2.4 and 3.0 See this pull calculated |CONFIRM 
request for the fix: MISC 











https://github.com/graphhopper/graphhopper/pull/2304 
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haml-coffee is a JavaScript templating solution. haml-coffee mixes 


pure template data with engine configuration options through the 
Express render API. More specifically, haml-coffee supports 
overriding a series of HTML helper functions through its 
configuration options. A vulnerable application that passes user 
controlled request objects to the haml-coffee template engine may 





CVE-2021-32818 








simultaneous history requests. 


haml-coffee -- haml-coffee introduce RCE vulnerabilities. Additionally control over the 2021-05-14 not yet CONFIRM 
escapeHtml parameter through template configuration pollution calculated MISC. 
ensures that haml-coffee would not sanitize template inputs that lems 
may result in reflected Cross Site Scripting attacks against 
downstream applications. There is currently no fix for these issues 
as of the publication of this CVE. The latest version of haml-coffee 
is currently 1.14.1. For complete details refer to the referenced 
GHSL-2021-025. 
JPA Server in HAPI FHIR before 5.4.0 allows a user to deny 
service (e.g., disable access to the database after the attack CVE-2021-32053 
hapi -- jpa_server stops) via history requests. This occurs because of a SELECT 2021-05-10 not yet MISC 
COUNT statement that requires a full index scan, with an calculated |MISC 
accompanying large amount of server resources if there are many MISC 





hewlett_packard_enterprises -- 
ilo_amplifier_pack 


A potential security vulnerability was identified in HPE iLO 
Amplifier Pack. The vulnerabilities could be remotely exploited to 
allow remote code execution. 


2021-05-10 


not yet 
calculated 


CVE-2021-26583 


MISC 





hexagon -- g!nius_auskunftsportal 


Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL 


injection via the GiPWorkflow/Service/DownloadPublicFile id 
parameter. 


2021-05-14 


not yet 
calculated 


CVE-2021-32051 


MISC 
MISC 





hilscher -- rcx_rtos 


In Hilscher reX RTOS versions prios to V2.1.14.1 the actual UDP 


packet length is not verified against the length indicated by the 
packet. This may lead to a denial of service of the affected device. 


2021-05-13 


not yet 
calculated 


CVE-2021-20988 


CONFIRM 
CONFIRM 





A flaw was found in the hivex library in versions before 1.3.20. It is 


caused due to a lack of bounds check within the hivex_open 





CVE-2021-3504 























improper input validation. 


hivex_library -- hivex_library function. An attacker could input a specially crafted Windows 2024-05-11 not yet MISC 
Registry (hive) file which would cause hivex to read memory calculated IMLIST 
beyond its normal bounds or cause the program to crash. The ——— 
highest threat from this vulnerability is to system availability. 
Cross Site Scripting (XSS) in Hotels_Server v1.0 allows remote 
hotels_server = ‘hetels_Server attackers to Sete code by injecting crafted commands || 2021-05-10 ia - 7 d oo 
the data fields in the component "/controller/publishHotel.php". calcurated jis 
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 
ibm -- cloud_pak_for_security 1.6.0.0, and 1.6.0.1 uses a protection mechanism that relies on not yet CVE-2021-20565 
Se the existence or values of an input, but the input can be modified 2021-05-14 caleulated XE 
by an untrusted actor in a way that bypasses the protection CONFIRM 
mechanism. IBM X-Force ID: 199236. 
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, CVE-2020-4811 
ibm -- cloud_pak_for_security 1.6.0.0, and 1.6.0.1 could allow a privileged user to inject inject 2024-05-14 not yet we 
malicious data using a specially crafted HTTP request due to calculated 


CONFIRM 





IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 


1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain 





CVE-2021-20564 
























































ibm -- cloud_pak_for_security sensitive information, caused by the failure to properly enable 2024-05-14 not yet XE 
HTTP Strict Transport Security. An attacker could exploit this calculated CONFIRM 
Vulnerability to obtain sensitive information using man in the (aaa tena 
middle techniques. IBM X-Force ID: 199235. 
IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is 
ibm -- jazz_reporting_service vulnerable to server-side request forgery (SSRF). This may allow not yet CVE-2021-20535 
= = an authenticated attacker to send unauthorized requests from the || 2021-05-13 éaleulated XE 
system, potentially leading to network enumeration or facilitating CONFIRM 
other attacks. IBM X-Force ID: 198834. 
ibm -- planning_analytics_local IBM Planning Analytics Local 2.0 could allow an attacker to obtain not yet CVE-2020-4985 
= = sensitive information due to accepting body parameters in a query.|| 2021-05-14 calculated CONFIRM 
IBM X-Force ID: 192642. XF 
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could 
ibn allow a remote attacker to obtain sensitive information when a not yet CVE-2021-20393 
radar liser behavior analvics detailed technical error message is returned in the browser. This 2021-05-14 calcilated CONFIRM 
q = = = y information could be used in further attacks against the system. XF 
IBM X-Force ID: 196001. 
IBM QRadar User Behavior Analytics 1.0.0 through 4.0.1 is 
ibm vulnerable to cross-site scripting. This vulnerability allows users to not yet CVE-2021-20392 
radar User behavior analvies embed arbitrary JavaScript code in the Web UI thus altering the 2021-05-14 calculated CONFIRM 
q = = = y intended functionality potentially leading to credentials disclosure XF 
within a trusted session. 
ibm -- IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could not vet CVE-2021-20429 
qradar_user_behavior_analytics disclose sensitive information due an overly permissive cross- 2021-05-14 racial CONFIRM 
domain policy. IBM X-Force ID: 196334. XF 
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crafted image file submitted to an application using ImageMagick. 
The highest threat from this vulnerability is to system availability. 


Primary ae P Cvss Source & Patch 
Vendor -- Product Peecmptien Published | Score Info 
ibm -- IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 allows ok vat CVE-2021-20391 
qradar_user_behavior_analytics web pages to be stored locally which can be read by another user || 2021-05-14 Pein er XE 
on the system. IBM X-Force ID: 195999. CONFIRM 
CVE-2020-23996 
ilias -- ilias A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 nokvet CONFIRM 
and 6.0 allows remote authenticated attackers to execute arbitrary || 2021-05-13 euciea MISC 
code via the import of personal data. CONFIRM 
CONFIRM 
CVE-2020-23995 
ilias -- ilias An information disclosure vulnerability in ILIAS before 5.3.19, nok vet CONFIRM 
5.4.12 and 6.0 allows remote authenticated attackers to get the 2021-05-13 at ae CONFIRM 
upload data path via a workspace upload. MISC 
CONFIRM 
A flaw was found in ImageMagick in versions before 7.0.11 and 
: : F F before 6.9.12, where a division by zero in Wavelmage() of 
imagemagick image magik MagickCore/visual-effects.c may trigger undefined behavior via a 2021-05-11 Par oo 





imagemagick -- imagemagik 


In ImageMagick versions before 7.0.9-0, there are outside the 


range of representable values of type ‘float’ at 
MagickCore/quantize.c. 


2021-05-14 


not yet 
calculated 


i 


CVE-2020-27769 


MISC 





‘A flaw was found in ImageMagick in versions before 7.0.11. A 











ImageMagick. The highest threat from this vulnerability is to 
system availability. 


imagemagick -- imagemagik potential cipher leak when the calculate signatures in 2021-05-11 not yet CVE-2021-20313 
‘TransformSignature is possible. The highest threat from this calculated |MISC 
vulnerability is to data confidentiality. 
A flaw was found in ImageMagick in versions 7.0.11, where an 
integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c 

imagemagick -- imagemagik may trigger undefined behavior via a crafted image file that is 2021-05-11 not yet |CVE-2021-20312 
submitted by an attacker and processed by an application using calculated ||MISC 





A flaw was found in ImageMagick in versions before 7.0.11, where 


a division by zero ConvertXYZToJzazbz() of 




















username and password. 


imagemagick -- imagemagik MagickCore/colorspace.c may trigger undefined behavior via a 2021-05-11 not yet |CVE-2021-20310 
crafted image file that is submitted by an attacker and processed calculated |MISC 
by an application using ImageMagick. The highest threat from this 
vulnerability is to system availability. 
A flaw was found in ImageMagick in versions before 7.0.11, where 
a division by zero in sSRGBTransformlmage() in the 
imagemagick -- imagemagik MagickCore/colorspace.c may trigger undefined behavior via a 2021-05-11 not yet |CVE-2021-20311 
crafted image file that is submitted by an attacker processed by an calculated |MISC 
application using ImageMagick. The highest threat from this 
vulnerability is to system availability. 
invoiceplane -- invoiceplane In InvoicePlane 1.5.11, the upload feature discloses the full path of 2021-05-10 not yet ||CVE-2021-29022 
the file upload directory. calculated |MISC 
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 
re : Plugin 1.11.4 and earlier allows attackers to connect to an not yet |CVE-2021-21655 
Penkine-*ip3 pidgin attacker-specified Perforce server using attacker-specified 2021-05-11} calculated | CONFIRM 





Jenkins P4 Plugin 1.11.4 and earlier does not perform permission 



































IDs of credentials stored in Jenkins. 


jenkins -- p4_ plugin checks in multiple HTTP endpoints, allowing attackers with 2021-05-11 not yet CVE-2021-21654 
Overall/Read permission to connect to an attacker-specified calculated |CONFIRM 
Perforce server using attacker-specified username and password. 
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform 
ee : Run/Artifacts permission checks in various HTTP endpoints and 
PeneIns 3 PUBIIener API models, allowing attackers with Item/Read permission to 2021-05-11 hii bie ee 
obtain information about artifacts uploaded to S3, if the optional —— 
Run/Artifacts permission is enabled. 
Ect ‘ Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a 
Jenkins — $3_publisher permission check in an HTTP endpoint, allowing attackers with 2021-05-11 le ao 
Overall/Read permission to obtain the list of configured profiles. [aeearenaaa 
ee Jenkins Xcode integration Plugin 2.0.14 and earlier does not 
Jenkins — xcode configure its XML parser to prevent XML external entity (XXE) 2021-05-11 no yel eee eee 
calculated |CONFIRM 
attacks. 
fenikingcexrave Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier 
fet mana a Jaee for fips does not perform a permission check in an HTTP endpoint, 2021-05-11 not yet CVE-2021-21653 
= g Ord allowing with Overall/Read permission to enumerate credentials calculated |CONFIRM 





jenkins -- xray- 
test_management_for_jira 








A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - 


‘Test Management for Jira Plugin 2.4.0 and earlier allows attackers 
to connect to an attacker-specified URL using attacker-specified 
credentials IDs obtained through another method, capturing 
credentials stored in Jenkins. 











2021-05-11 





not yet 
calculated 








ICVE-2021-21652 
CONFIRM 
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to create webhook actions could drain the Kibana host connection 





pool, making Kibana unavailable for all other users. 














5/17/2021 Vulnerability Summary for the Week of May 10, 2021 
Primary ae j Cvss Source & Patch 
Vendor -- Product Pescmpron eubllehed | Score Info 
jetbrains -- code_with_me In JetBrains Code With Me bundled to the compatible IDEs before 2024-05-11 not yet inne 
version 2021.1, the client could execute code in read-only mode. calculated MISC 
jetbrains -- code_with_me In JetBrains Code With Me bundled to the compatible IDE 2021-05-11 not yet nee 
versions before 2021.1, a client could open a browser on a host. calculated MISC 
jetbrains -- hub In JetBrains Hub before 2021.1.13079, two-factor authentication 2024-05-11 not yet ania 
wasn't enabled properly for the All Users group. calculated MISC 
ietbrains~<intellii idea In JetBrains IntelliJ IDEA 2020.3.3, local code execution was natvat CVE-2021-29263 
! I possible because of insufficient checks when getting the project 2021-05-11 Pia nae MISC 
from VCS. MISC 
jjetbrains - intelli_idea In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to 5021.05.11 || notyet oe 
information disclosure. calculated MISC 
létbrains=oveharm In JetBrains PyCharm before 2020.3.4, local code execution was not yet CVE-2021-30005 
! Py possible because of insufficient checks when getting the project 2021-05-11 Pie MISC 
from VCS. MISC 
\jetbrains -- teamcity In JetBrains TeamCity before 2020.2.3, information disclosure via 2024-05-11 not yet eee 
SSRF was possible. calculated MISC 
\jetbrains -- teamcity In JetBrains TeamCity before 2020.2.4 on Windows, arbitrary code 2021-05-11 not yet 1 iia 
execution on TeamCity Server was possible. calculated MISC 
\jetbrains -- teamcity In JetBrains TeamCity before 2020.2.4, OS command injection 2024-05-11 not yet ani 
leading to remote code execution was possible. calculated MISC 
jetbrains -- teamcity In JetBrains TeamCity before 2020.2.3, insufficient checks of the 2024-05-11 not yet wee 
redirect_uri were made during GitHub SSO token exchange. calculated MISC 
\jetbrains -- teamcity In JetBrains TeamCity before 2020.2.3, account takeover was 2024-05-11 not yet ele 
potentially possible during a password reset. calculated MISC 
jetbrains -- upsource In JetBrains UpSource before 2020.1.1883, application passwords 2021-05-11 not yet eo 
were not revoked correctly calculated MISC 
jetbrains -- webstorm In JetBrains WebStorm before 2021.1, code execution without not yet CVE-2021-31897 
: : ; : 2021-05-11 MISC 
user confirmation was possible for untrusted projects. calculated MISC 
jetbrains -- webstorm In JetBrains WebStorm before 2021.1, HTTP requests were used not yet CVE-2021-31898 
: 2021-05-11 MISC 
instead of HTTPS. calculated MISC 
jetbrains -- youtrack In JetBrains YouTrack before 2021.1.9819, a pull request's title 2024-05-11 not yet in 
was sanitized insufficiently, leading to XSS. calculated MISC 
jetbrains -- youtrack In JetBrains YouTrack before 2020.6.6600, access control during 2021-05-11 not yet cao 
the exporting of issues was implemented improperly. calculated MISC 
jetbrains -- youtrack In JetBrains YouTrack before 2020.6.6441, stored XSS was 2024-05-11 not yet v1 ries 
possible via an issue attachment. calculated MISC 
Password generator feature in Kaspersky Password Manager was 
not completely cryptographically strong and potentially allowed an 
kaspersky -- password_manager  [ttacker to predict generated passwords in some cases. An 2021-05-14 BLA olag |: ae 
a ‘ : calculated ||MISC 
attacker would need to know some additional information (for 
example, time of password generation). 
A flaw was found in keycloak. Directories can be created prior to 
the Java process creating them in the temporary directory, but 
Keyeloak = Keyoloak with wider user permissions, allowing the attacker to have access || 2021-05-12 Ped ae oo 
ito the contents that keycloak stores in this directory. The highest fcr 
threat from this vulnerability is to data confidentiality and integrity. 
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session 
timeout was discovered where the 
kibana -- kibana xpack.security.session.idleTimeout setting is not being respected. 2021-05-13 not yet CVE-2021-22136 
This was caused by background polling activities unintentionally calculated |MISC 
extending authenticated users sessions, preventing a user 
session from timing out. 
Kibana versions before 7.12.1 contain a denial of service 
; F vulnerability was found in the webhook actions due to a lack of 
pipet 5iBea timeout or a limit on the request size. An attacker with permissions||_ 2021-05-13 Pitas eo 
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Primary ae j Cvss Source & Patch 
Vendor -- Product Bescmpren eubilehed | Score Info 
kk_star_ratings -- kk_star_ratings ||Cross Site Scripting (XSS) vulnerability in the kk Star Ratings 2024-05-11 not yet rin 
plugin before 4.1.5. calculated MISC 
A directory traversal vulnerability exists in Kyocera Printer d- 
kyocera -- printer_d-copia253mf COPIA253MF plus. Successful exploitation of this vulnerability 2021-05-10 not yet |CVE-2020-23575 
could allow an attacker to retrieve or view arbitrary files from the calculated |EXPLOIT-DB 
affected server. 
Unrestricted File Upload in LAOBANCMS v2.0 allows remote 
lachancine<lachanchis attackers to upload arbitrary files by attaching a file with a 2021-05-14 not yet ||CVE-2020-18166 
.jpg.php" extension to the component "admin/wenjian.php? calculated |MISC 
wj=../templets/pc". 
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote 
laobancms -- laobancms attackers to execute arbitrary code by injecting commands into the 2021-05-14 not yet CVE-2020-18167 
"Homepage Introduction" field of component "admin/info.php? calculated |MISC 
shuyu". 
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote 
laobancms -- laobancms attackers to execute arbitrary code by injecting commands into the 2021-05-12 not yet |CVE-2020-18165 
"Website SEO Keywords" field on the page "admin/info.php? calculated ||MISC 
shuyu". 
A vulnerability found in libxml2 in versions before 2.9.11 shows 
that it did not propagate errors while parsing XML mixed content, CVE-2021-3537 
libxml2 -- libxml2 causing a NULL dereference. If an untrusted XML document was 2021-05-14 not yet MISC 
parsed in recovery mode and post-validated, the flaw could be calculated ||EEDORA 
used to crash the application. The highest threat from this MLIST 
vulnerability is to system availability. 
By exploiting a time of check to time of use (TOCTOU) race 
condition during the Endpoint Security for Linux Threat Prevention 
; F and Firewall (ENSL TP/FW) installation process, a local user can not yet CVE-2021-23892 
Neie=linibe homie perform a privilege escalation attack to obtain administrator 2021-05-12 I caiculated [CONFIRM 
privileges for the purpose of executing arbitrary code through 
insecure use of predictable temporary file locations. 
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in — 
linux -- linux_kernel net/can/isotp.c allows privilege escalation to root by leveraging a 2021-05-11 not yet MLIST 
use-after-free. (This does not affect earlier versions that lack CAN calculated IMLIST 
ISOTP SF_BROADCAST support.) IMLIST 
An issue was discovered in the Linux kernel 5.8.9. The WEP, 
WPA, WPA2, and WPA3 implementations reassemble fragments 
: ; even though some of them were sent in plaintext. This CVE-2020-26147 
linux -- linux_kernel a3 pie : not yet |MISC 
= vulnerability can be abused to inject packets and/or exfiltrate 2021-05-11 calculated MISC 
selected fragments when another device sends fragmented IMLIST 
frames and the WEP, CCMP, or GCMP data-confidentiality 
protocol is used. 
CVE-2020-27830 
A vulnerability was found in Linux Kernel where in the MISC 
linux -- linux_kernel spk_ttyio_receive_buf2() function, it would dereference 2021-05-13 not yet |MLIST 
spk_ttyio_synth without checking whether it is NULL or not, and calculated ||MLIST 
may lead to a NULL-ptr deref crash. DEBIAN 
MLIST 
An information disclosure vulnerability exists in the 
/proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 
5.4.66. More specifically, this issue has been introduced in v5.1- 
linux -- linux_kernel rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and 2021-05-10 not yet ||CVE-2020-28588 
is still present in v5.10-rc4, so it’s likely that all versions in calculated |MISC 
between are affected. An attacker can read /proc/pid/syscall to 
trigger this vulnerability, which leads to the kernel leaking memory 
contents. 
CVE-2021-33033 
The Linux kernel before 5.11.14 has a use-after-free in Ea 
linux -- linux_kernel cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and 2021-05-14 not yet MISC 
CALIPSO refcounting for the DOI definitions is mishandled, aka calculated MISC 
ClID-ad5d07f4a9cd. This leads to writing an arbitrary value. MISC 
MISC 
Use After Free vulnerability in nfc sockets in the Linux Kernel ee aA 
linux -- linux_kernel before 5.12.2 allows local attackers to elevate their privileges. In notyet lhaan 
: : : : ; 2021-05-12 MISC 
typical configurations, the issue can only be triggered by a calculated FEDORA 
privileged local user with the CAP_NET_RAW capability. FEDORA 
‘The block subsystem in the Linux kernel before 5.2 has a use- as 
linux -- linux_kernel after-free that can lead to arbitrary code execution in the kernel 2021-05-14 not yet MISC 
context and privilege escalation, aka CID-c3e2219216c9. This is calculated MISC 
related to blk_mq_free_rqs and blk_cleanup_queue. MISC 
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5/17/2021 Vulnerability Summary for the Week of May 10, 2021 
Primary ae j Cvss Source & Patch 
Vendor -- Product Pescmpron eubilehed Score Info 
CVE-2021-33034 
linune=stinax< kernel In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a not vet MISC 
= use-after-free when destroying an hci_chan, aka CID- 2021-05-14 rca MISC 
5c4c8c954409. This leads to writing an arbitrary value. MISC 
MISC 
In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0a 
TLS certificate validation flaw was found in the monitoring feature. 
logstash -- logstash When specifying a trusted server CA certificate Logstash would 2021-05-13 not yet |CVE-2021-22138 
not properly verify the certificate returned by the monitoring server. calculated |MISC 
This could result in a man in the middle style attack against the 
Logstash monitoring data. 
Insufficient input validation in the Marvin Minsky 1967 
marvin_minsky -- else ah of et suaaaise ap ero =a eal — CVE-2021-32471 
universal_turing_ machine users to execute arbitrary code via crafted data. For example, a 2021-05-10 notyet |imisc OOS 
= = tape head may have an unexpected location after the processing calculated MISC 
of input composed of As and Bs (instead of Os and 1s). NOTE: the —— 
discoverer states "this vulnerability has no real-world implications." 
Privilege Escalation vulnerability in McAfee Total Protection (MTP) 
= : prior to 16.0.32 allows a local user to gain elevated privileges by On. notyet CVE-2021-23891 
mcafee ~ total_protestion impersonating a client token which could lead to the bypassing of evedewe calculated |CONFIRM 
MTP self-defense. 
Privilege Escalation vulnerability in the File Lock component of 
mcafee -- total_protection McAfee Total Protection (MTP) prior to 16.0.32 allows a local user 2021-05-12 not yet |CVE-2021-23872 
ito gain elevated privileges by manipulating a symbolic link in the calculated |CONFIRM 
IOCTL interface. 
A vulnerability has been identified in Mendix Database Replication 
: ere (All versions < V7.0.1). Uploading a table mapping using a 
mendix — database_replication manipulated XML File results in an exception that could expose 2021-05-12 Fei eo 
information about the Application-Server and the used XML- ee 
Framework. 
A vulnerability has been identified in Mendix Excel Importer CVE-2021-31339 
mendix -- excel_importer_module —_|/Module (All versions < V9.0.3). Uploading a manipulated XML File 2021-05-12 not yet MISC... 
results in an exception that could expose information about the calculated MISC 
Application-Server and the used XML-Framework. ee 
An issue was discovered in the Headunit NTG6 in the MBUX CVE-2021-23908 
mercedes-benz -- Infotainment System on Mercedes-Benz vehicles through 2021. A 2021-05-13 not yet MISC 
mbux_infotainment_system type confusion issue affects MultiSvSetAttributes in the HiQnet calculated |MISC 
Protocol, leading to remote code execution. MISC 
marcedes:bene = An issue was discovered in the Headunit NTG6 in the MBUX CVE-2021-23906 
mibU infotainment -avetem Infotainment System on Mercedes-Benz vehicles through 2021. A 2021-05-13 not yet MISC 
aad SY Message Length is not checked in the HiQnet Protocol, leading to calculated |MISC 
remote code execution. MISC 
iereadesberee An issue was discovered in the Headunit NTG6 in the MBUX CVE-2021-23907 
fable Iniotainimentcavelen Infotainment System on Mercedes-Benz vehicles through 2021. 2021-05-13 not yet MISC 
= SY The count in MultiSvGet, GetAttributes, and MultiSvSet is not calculated |MISC 
checked in the HiQnet Protocol, leading to remote code execution. MISC 
mercedes-benz -- An issue was discovered in HERMES 2.1 in the MBUX natvet a 
mbux_infotainment_system Infotainment System on Mercedes-Benz vehicles through 2021. 2021-05-13 y Peres 
: calculated |MISC 
The SH2 MCU allows remote code execution. MISC 
mercedes-benz -- An issue was discovered in HERMES 2.1 in the MBUX Hatvet eee 
mbux_infotainment_system Infotainment System on Mercedes-Benz vehicles through 2021. 2021-05-13 y Ferpesess 
: : : : calculated |MISC 
There is an out-of-bounds array access in RemoteDiagnosisApp. MISC 
microsoft -- 365_dynamics Dynamics Finance and Operations Cross-site Scripting not yet |CVE-2021-28461 
i 2021-05-11 
Vulnerability calculated ||N/A 
microsoft -- accessibility_insights Microsoft Accessibility Insights for Web Information Disclosure 2021-05-11 not yet CVE-2021-31936 
Vulnerability calculated ||N/A 
mI err Microsoft Excel Information Disclosure Vulnerability 9097-05-41; || Pot vet euemeat-o tine 
calculated ||N/A 
microsoft -- exchange Microsoft Exchange Server Remote Code Execution Vulnerability 2021-05-11 not yet |CVE-2021-31198 
This CVE ID is unique from CVE-2021-31195. calculated ||N/A 
eo eras Microsoft Exchange Server Security Feature Bypass Vulnerability || 2021-05-11 OE  ——=— 
calculated ||N/A 
microsoft -- exchange Microsoft Exchange Server Remote Code Execution Vulnerability 2021-05-11 not yet CVE-2021-31195 
This CVE ID is unique from CVE-2021-31198. calculated ||N/A 
microsoft -- exchange . . a not yet |CVE-2021-31209 
Microsoft Exchange Server Spoofing Vulnerability 2021-05-11 calculated ||N/A 
: F CVE-2021-26419 
mighosett == inteniel explorer Scripting Engine Memory Corruption Vulnerability 2021-05-11 || notyet Inia 
calculated MISC 
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Primary ae : Cvss Source & Patch 
Vendor -- Product Pescmpren eubllehed | Score Info 
CVE-2021-28465 
microsoft -- internet_explorer ; F : te not yet |N/A 
Web Media Extensions Remote Code Execution Vulnerability 2021-05-11 calculated MISC 
MISC 
microsoft -- ; ; st 
: F Microsoft Jet Red Database Engine and Access Connectivity 5. not yet CVE-2021-28455 
jet_red_database_engine Engine Remote Code Execution Vulnerability a02 T0511 calculated ||N/A 
Microsoft Office Remote Code Execution Vulnerability This CVE not vet CVE-2021-31177 
microsoft -- office ID is unique from CVE-2021-31175, CVE-2021-31176, CVE-2021- || 2021-05-11 y IN/A 
calculated 
31179. MISC 
microsoft -- office F : . : a not yet |CVE-2021-31178 
Microsoft Office Information Disclosure Vulnerability 2021-05-11 calcuiated ||N/A 
memset = mes Microsoft Office Graphics Remote Code Execution Vulnerability || 2021-05-11 || notyet [CVE-2021-31180 
calculated ||N/A 
: . Microsoft Office Remote Code Execution Vulnerability This CVE 
lovee eee ID is unique from CVE-2021-31175, CVE-2021-31176, CVE-2021-|] 2021-05-11 | "otvet | /UE-2021-31179 
31177. calculated ||N/A 
microsoft=<-office Microsoft Office Remote Code Execution Vulnerability This CVE not vet CVE-2021-31175 
ID is unique from CVE-2021-31176, CVE-2021-31177, CVE-2021- || 2021-05-11 y IN/A 
calculated 
31179. MISC 
microseit--clfice Microsoft Office Remote Code Execution Vulnerability This CVE not vet CVE-2021-31176 
ID is unique from CVE-2021-31175, CVE-2021-31177, CVE-2021- || 2021-05-11 Mi IN/A 
calculated 
31179. MISC 
‘ : Microsoft SharePoint Spoofing Vulnerability This CVE ID is unique not yet CVE-2021-31172 
FlCtSS oii anareapoint from CVE-2021-26418, CVE-2021-28478. 2021-05-11 | calculated |N/A 
: : CVE-2021-28474 
piproseli=: Sharepoe! Microsoft SharePoint Server Remote Code Execution Vulnerability|) 2021-05-11 | MOtYet Inia 
calculated MISC 
: . CVE-2021-31181 
pienelh-7serepoet Microsoft SharePoint Remote Code Execution Vulnerability 2021-05-11 | Metyet iva 
calculated MISC 
microsoft -- sharepoint Microsoft SharePoint Spoofing Vulnerability This CVE ID is unique 2021-05-11 not yet |CVE-2021-26418 
from CVE-2021-28478, CVE-2021-31172. calculated ||N/A 
microsoft -- sharepoint Microsoft SharePoint Spoofing Vulnerability This CVE ID is unique 2021-05-11 not yet CVE-2021-28478 
from CVE-2021-26418, CVE-2021-31172. calculated ||N/A 
Rolo b ote =sshiaha paint Microsoft SharePoint Information Disclosure Vulnerability 2021-05-11 SE ———<— 
calculated ||N/A 
microsoft -- sharepoint . : : F 7 not yet CVE-2021-31173 
Microsoft SharePoint Server Information Disclosure Vulnerability 2021-05-11 calculated ||N/A 
microsoft -- skype_for_business Skype for Business and Lync Remote Code Execution 2021-05-11 not yet |CVE-2021-26422 
Vulnerability calculated ||N/A 
microsoft -- skype_for_business . . ar notyet |CVE-2021-26421 
Skype for Business and Lync Spoofing Vulnerability 2021-05-11 calculated ||N/A 
microsoft -- visual_studio Visual Studio Code Remote Code Execution Vulnerability This 2021-05-11 not yet |CVE-2021-31211 
CVE ID is unique from CVE-2021-31214. calculated ||N/A 
microsoft -- visual_studio ' : . a Ae not yet CVE-2021-31204 
-NET and Visual Studio Elevation of Privilege Vulnerability 2021-05-11 calculated ||N/A 
microsoft -- visual_studio Visual Studio Code Remote Containers Extension Remote Code 2021-05-11 not yet CVE-2021-31213 
Execution Vulnerability calculated ||N/A 
microsoft -- visual_studio Visual Studio Code Remote Code Execution Vulnerability This 2021-05-11 not yet CVE-2021-31214 
CVE ID is unique from CVE-2021-31211. calculated ||N/A 
picieeati= yee Visual Studio Remote Code Execution Vulnerability 2021-05-11 || notyet [CVE-2021-27068 
calculated ||N/A 
Windows Container Manager Service Elevation of Privilege 
microsoft -- windows Vulnerability This CVE ID is unique from CVE-2021-31165, CVE- |) 2021-05-11 |) "Otyet a 
2021-31167, CVE-2021-31168, CVE-2021-31169. a 
, F : F es not yet |CVE-2021-31194 
microsoft -- windows OLE Automation Remote Code Execution Vulnerability 2021-05-11 calculated ||N/A 
miicrosort-windows Windows Container Isolation FS Filter Driver Elevation of Privilege 2021-05-11 not yet CVE-2021-31190 
Vulnerability calculated ||N/A 
‘ : Microsoft Windows Infrared Data Association (IrDA) Information not yet CVE-2021-31184 
microsoft -- windows Disclosure Vulnerability 2021-05-11 calculated ||N/A 
microsoft -- windows Windows Graphics Component Elevation of Privilege Vulnerability 2024-05-11 not yet a 
This CVE ID is unique from CVE-2021-31170. calculated MISC 
MESO B OTE = WINGO Windows SSDP Service Elevation of Privilege Vulnerability 2oot.05-41 || Toe! aeeeeeiees 
calculated |IN/A 
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Primary ae j Cvss Source & Patch 
Vendor -- Product Pescnpnen eubilehed | Score Info 
microsoft -- windows not yet eves Ge 
Windows WalletService Elevation of Privilege Vulnerability 2021-05-11 N/A 
calculated MISC 
microsoft -- windows Windows Remote Desktop Protocol (RDP) Information Disclosure 2021-05-11 not yet |CVE-2021-31186 
Vulnerability calculated ||N/A 
microsoft -- windows Windows Projected File System FS Filter Driver Information 2021-05-11 not yet |CVE-2021-31191 
Disclosure Vulnerability calculated ||N/A 
microsoft -- windows Windows Media Foundation Core Remote Code Execution 2021-05-11 not yet |CVE-2021-31192 
Vulnerability calculated ||N/A 
microsoft -- windows , F F 7 a not yet CVE-2021-31185 
Windows Desktop Bridge Denial of Service Vulnerability 2021-05-11 calculated ||N/A 
plc Une Microsoft Bluetooth Driver Spoofing Vulnerability 2021-05-11 || Motyet CVE-2021-31182 
calculated ||N/A 
microsoft -- windows age . wy. not yet |CVE-2021-31200 
Common Utilities Remote Code Execution Vulnerability 2021-05-11 calculated ||N/A 
faleroee tt Wino We Windows SMB Client Security Feature Bypass Vulnerability 2021-05-11 || Notyet [CVE-2021-31205 
calculated ||N/A 
Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory 
mikrotik -- routeros corruption vulnerability in the /nova/bin/resolver process. An 2021-05-11 not yet ||CVE-2020-20267 
authenticated remote attacker can cause a Denial of Service due calculated |MISC 
to invalid memory access. 
Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory 
mikrotik -- routeros corruption vulnerability in the /ram/pckg/wireless/nova/bin/wireless 2021-05-11 not yet CVE-2020-20265 
process. An authenticated remote attacker can cause a Denial of calculated |MISC 
Service due via a crafted packet. 
Specific versions of the MongoDB C# Driver may erroneously 
publish events containing authentication-related data to a 
command listener configured by an application. The published 
events may contain security-sensitive data when commands such 
as "saslStart", "saslContinue", "isMaster", "createUser", and 
mongodb —- mengodb "updateUser" are executed. Without due care, an application may || 2021-05-13 aia ert a 
inadvertently expose this authenticated-related information, e.g., ae ay 
by writing it to a log file. This issue only arises if an application 
enables the command listener feature (this is not enabled by 
default). This issue affects the MongoDB C# Driver 2.12 <= 
2e42-4:. 
Improper validation of the length field of LLDP-MED TLV in 
mona: ecamera Vpore OBGc: userdisk/vport_Ildpd in Moxa Camera VPort O6EC-2V Series, fot vet CVE-2021-25848 
OY -eétles _VPON. version 1.1, allows information disclosure to attackers due to using|| 2021-05-10 Saieacied MISC 
= fixed loop counter variable without checking the actual available MISC 
length via a crafted Ildp packet. 
Improper validation of the length field of LLDP-MED TLV in CVE-2021-25847 
moxa -- camera_vport_O6ec- userdisk/vport_lIldpd in Moxa Camera VPort O6EC-2V Series, notyet [yo oa 
: . Z : : 2021-05-10 MISC 
2v_series version 1.1, allows information disclosure to attackers due to calculated MISC 
controllable loop counter variable via a crafted Ildp packet. Lescers 
Improper validation of the ChassisID TLV in userdisk/vport_Ildpd CVE-2021-25845 
moxa -- camera_vport_06ec- in Moxa Camera VPort O6EC-2V Series, version 1.1, allows 2021-05-10 not yet MISC. 
2v_series attackers to cause a denial of service due to a NULL pointer calculated |, a5 
: MISC 
dereference via a crafted Ildp packet. 
Improper validation of the ChassisID TLV in userdisk/vport_Ildpd 
fnoxe — camera _vpon_OGEC- in Moxa Camera VPort O6EC-2V Series, version 1.1, allows not yet CVE-2021-25846 
2v_series ; f : 2021-05-10 MISC 
= attackers to cause a denial of service due to a negative number calculated MISC 
passed to the memcpy function via a crafted Ildp packet. (epee: 
An integer underflow was discovered in userdisk/vport_Ildpd in . 3 
a ee Moxa Camera VPort 06EC-2V Series, version 1.1, improper 2021-05-10 not yet a 25849 
a Validation of the PortID TLV leads to Denial of Service via a calculated | an 
MISC 
crafted Ildp packet. 
An issue was discovered in the kernel in NetBSD 7.1. An Access 
Point (AP) forwards EAPOL frames to other clients even though CVE-2020-26139 
netbsd -- netbsd the sender has not yet successfully authenticated to the AP. This 2021-05-11 not yet MISC 
might be abused in projected Wi-Fi networks to launch denial-of- calculated |MISC 
service attacks against connected clients and makes it easier to MLIST 
exploit other vulnerabilities in connected clients. 
A flaw was found in noobaa-operator in versions before 5.7.0, 
where internal RPC AuthTokens between the noobaa operator 
nooba-operator -- nooba-operator {land the noobaa core are leaked into log files. An attacker with 2021-05-13 not yet |CVE-2021-3528 
access to the log files could use this AuthToken to gain additional calculated |MISC 
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execution. An attacker can provide a malicious file to trigger this 





vulnerability. 

















Prima’ ae : CVSS Source & Patch 
Vendor -- Prick Bescmpron eubilehed Score Info 
The NPort IAS5000A Series devices use Telnet as one of the CVE-2020-27184 
nport -- ia5000a_devices network device management services. Telnet does not support the 2024-05-14 not yet vs 
= encryption of client-server communications, making it vulnerable calculated MISC 
ito Man-in-the-Middle attacks. [ences 
Cleartext transmission of sensitive information via Moxa Service in 
nport -- ia5000a_devices NPort IASOOOA series serial devices. Successfully exploiting the not yet CVE-2020-27185 
= vulnerability could enable attackers to read authentication data, 2021-05-14 calculated MISC 
device configuration, and other sensitive data transmitted over MISC 
Moxa Service. 
In multiple versions of NPort IAS5O00A Series, the result of CVE-2020-27150 
nport -- ia5000a_devices exporting a device’s configuration contains the passwords of all 2024-05-14 not yet MISC... — 
users on the system and other sensitive data in the original form if calculated MISC 
“Pre-shared key” doesn’t set. ippescas 
By exploiting a vulnerability in NPort IA5150A/IA5250A Series CVE-2020-27149 
nport -- ia5150a_devices before version 1.5, a user with “Read Only” privilege level can 2021-05-14 not yet MISC. 
send requests via the web console to have the device’s calculated MISC 
configuration changed. = 
octoprint -- octoprint ‘The Logging subsystem in OctoPrint before 1.6.0 has incorrect not yet i 
access control because it attempts to manage files that are not 2021-05-11 calculated IIMISC 
* log files. MISC 
CVE-2021-32561 
octoprint -- octoprint OctoPrint before 1.6.0 allows XSS because API error messages 2021-05-11 not yet MISC 
include the values of input parameters. calculated |MISC 
MISC 
Cleartext storage of sensitive information in multiple versions of CVE-2021-30183 
octopus -- server Octopus Server where in certain situations when running import or 2024-05-14 not yet ic 
export processes, the password used to encrypt and decrypt calculated MISC 
sensitive values would be written to the logs in plaintext. (aamaeaaad 
jmron=excane Omron CX-One Versions 4.60 and prior, including CX-Server not yet CVE-2021-27413 
Versions 5.0.29.0 and prior, are vulnerable to a stack-based buffer || 2021-05-13 calculated MISC 
overflow, which may allow an attacker to execute arbitrary code. MISC 
OpenAPI Generator allows generation of API client libraries (SDK 
generation), server stubs, documentation and configuration 
automatically given an OpenAPI Spec. Using 
*File.createTempFile’ in JDK will result in creating and using 
operiabissopenabi insecure temporary files that can leave application and system Hiok’vet oa gama 
penap pellay data vulnerable to attacks. Auto-generated code (Java, Scala) that|| 2021-05-10 | - diMisc. 
deals with uploading or downloading binary data through API rae? MISC 
endpoints will create insecure temporary files during the process. pases 
Affected generators: ‘java’ (jersey2, okhttp-gson (default library)), 
*scala-finch’. The issue has been patched with 
*Files.createTempFile’ and released in the v5.1.0 stable version. 
Openapi generator is a java tool which allows generation of API 
client libraries (SDK generation), server stubs, documentation and 
configuration automatically given an OpenAPI Spec. openapi- 
Span ablexobenanl generator-online creates insecure temporary folders with Rat vet CVE-2021-21428 
penap penap File.createTempFile during the code generation process. The 2021-05-10 | ae d CONFIRM 
insecure temporary folders store the auto-generated files which Sere aes 
can be read and appended to by any users on the system. The 
issue has been patched with Files.createTempFile’ and released 
in the v5.1.0 stable version. 
An issue was discovered in the kernel in OpenBSD 6.6. The WEP, CVE-2020-26142 
openbsd -- openbsd WPA, WPA2, and WPA3 implementations treat fragmented frames 2021-05-11 not yet MISC 
as full frames. An adversary can abuse this to inject arbitrary calculated |MISC 
network packets, independent of the network configuration. MLIST 
CVE-2020-27823 
A flaw was found in OpenJPEG’s encoder. This flaw allows an MLIST 
Openjpeg-- openjpeg attacker to pass specially crafted x,y offset input to OpenJPEG to 2021-05-13 not yet MISC 
use during encoding. The highest threat from this vulnerability is to calculated ||FEDORA 
confidentiality, integrity, as well as system availability. FEDORA 
DEBIAN 
A flaw was found in OpenJPEG’s encoder in the ao 
, ; opj_dwt_calc_explicit_stepsizes() function. This flaw allows an RAN es 
SpRnIped pened piaekerwhe ca capol) bere ee to decomposition levels to 2021-05-13 iy sh d Soe 
cause a buffer overflow. The highest threat from this vulnerability icine FEDORA 
is to system availability. DEBIAN 
An out-of-bounds write vulnerability exists in the 
import_stl.cc:import_stl() functionality of Openscad openscad- 
Rponeeaer Opera 2020.12-RC2. A specially crafted STL file can lead to code 2021-05-10 |} Tot vet 1 ara 
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docs.helpmanual.io/usage/validators/) to catch these values. This 
is not an ideal solution (in particular you'll need a slightly different 
function for datetimes), instead of a hack like this you should 
upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and 
are unable to upgrade to a fixed version of pydantic, please create 
an issue at https://github.com/samuelcolvin/pydantic/issues 
requesting a back-port, and we will endeavour to release a patch 
for earlier versions of pydantic. 

















Prima’ aT : CVSS Source & Patch 
Vendor -- Prslick Bescmprion eubilehed | Score Info 
A Cross Site Request Forgery (CSRF) vulnerability exists in 
Bape piper PHPOK 5.2.060 via admin. php?c=admin&f=save, which could let | 2021-05-10 |} TOtyet v1 an 
a remote malicious user execute arbitrary code. re 
piwigo -- piwigo Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] 2021-05-13 not yet oes 
SQL Injection. eee calculated == — 
CONFIRM 
Proofpoint Enterprise Protection (PPS/PoD) before 8.16.4 
contains a vulnerability that could allow an attacker to deliver an CVE-2020-14009 
proofpoint -- enterprise_protection ||email message with a malicious attachment that bypasses 2021-05-07 not yet MISC... 
scanning and file-blocking rules. The vulnerability exists because calculated MISC 
messages with certain crafted and malformed multipart structures bearers 
are not properly handled. 
An issue was discovered in Prosody before 0.11.9. The proxy65 CVE-2021-32917 
component allows open access by default, even if neither of the not yet MISC 
prosady -- prosody users has an XMPP account on the local server, allowing anaes calculated |[MLIST 
unrestricted use of the server's bandwidth. MLIST 
CVE-2021-32920 
prosody -- prosody Prosody before 0.11.9 allows Uncontrolled CPU Consumption via 2021-05-13 not yet MISC 
a flood of SSL/TLS renegotiation requests. calculated ||MLIST 
MLIST 
An issue was discovered in Prosody before 0.11.9. It does not use 
roscdyicewrased a constant-time algorithm for comparing certain secret strings Hiot'vet vif semmaat 
P ye y when running under Lua 5.2 or later. This can potentially be used || 2021-05-13 | z d IMLIST 
in a timing attack to reveal the contents of secret strings to an calauials eS 
attacker. a 
An issue was discovered in Prosody before 0.11.9. Default CVE-2021-32918 
prosody -- prosody settings are susceptible to remote unauthenticated denial-of- 2021-05-13 not yet MISC 
service (DoS) attacks via memory exhaustion when running under calculated ||MLIST 
Lua 5.2 or Lua 5.3. MLIST 
An issue was discovered in Prosody before 0.11.9. The 
undocumented dialback_without_dialback option in mod_dialback CVE-2021-32919 
prosody -- prosody enables an experimental feature for server-to-server 2021-05-13 not yet MISC 
authentication. It does not correctly authenticate remote server calculated ||MLIST 
certificates, allowing a remote server to impersonate another MLIST 
server (when this option is enabled). 
pulse_secure -- An HTTP Request Smuggling vulnerability in Pulse Secure Virtual 
virtual traffic manager Traffic Manager before 21.1 could allow an attacker to smuggle an 2021-05-14 not yet |CVE-2021-31922 
= = HTTP request through an HTTP/2 Header. This vulnerability is calculated ||MISC 
resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3. 
Puma is a concurrent HTTP 1.1 server for Ruby/Rack 
applications. The fix for CVE-2019-16770 was incomplete. The 
original fix only protected existing connections that had already 
been accepted from having their requests starved by greedy 
persistent-connections saturating all threads in the same process. 
However, new connections may still be starved by greedy 
persistent-connections saturating all threads in all processes in CVE-2021-29509 
the cluster. A ‘puma’ server which received more concurrent MISC 
Puine = Puma *keep-alive’ connections than the server had threads in its 2021-05-11 he MISC 
threadpool would service only a subset of connections, denying calculate’ CONFIRM 
service to the unserved connections. This problem has been fixed MISC 
in ‘puma’ 4.3.8 and 5.3.1. Setting ‘queue_requests false’ also 
fixes the issue. This is not advised when using ‘puma’ without a 
reverse proxy, such as ‘nginx’ or ‘apache’, because you will open 
yourself to slow client attacks (e.g. slowloris). The fix is very small 
and a git patch is available for those using unsupported versions 
of Puma. 
Pydantic is a data validation and settings management using 
Python type hinting. In affected versions passing either “'infinity", 
“inf? or “float(‘inf!) (or their negatives) to ‘datetime® or ‘date’ fields 
causes validation to run forever with 100% CPU usage (on one 
CPU). Pydantic has been patched with fixes available in the 
following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are 
available on pypi(https://pypi.org/project/pydantic/#history), and 
will be available on conda-forge(https://anaconda.org/conda- 
: : forge/pydantic) soon. See the changelog(https://pydantic- CVE-2021-29510 
Pydalilie = pyaelnive docs.helpmanual.io/) for details. If you absolutely can't upgrade, | 2021-05-13 || OLYSt | CONFIRM 
you can work around this risk using a validator(https://pydantic- Coen? aise 
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upgrade to *==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1". 
‘There are no workarounds. Please upgrade your “evm* crate 
version. 


5/17/2021 Vulnerability Summary for the Week of May 10, 2021 
Prima’ aT : CVSS Source & Patch 
Vendor -- Prsiick Descnption eubiiehed Score Info 
A race condition flaw was found in the 9pfs server implementation 
Shite of QEMU up to and including 5.2.0. This flaw allows a malicious sae NG 

em = eM 9p client to cause a use-after-free error, potentially escalating their || 2021-05-13 | ee d IMLIST 
privileges on the system. The highest threat from this vulnerability dasha MISC 
is to confidentiality, integrity as well as system availability. (canis 
An out-of-bounds heap buffer access issue was found in the ARM 
Generic Interrupt Controller emulator of QEMU up to and including 
qemu 4.2.0on aarch64 platform. The issue occurs because while CVE-2021-20221 

qemu -- qemu writing an interrupt ID to the controller memory area, it is not 2021-05-13 not yet |MLIST 
masked to be 4 bits wide. It may lead to the said issue while calculated ||MISC 
updating controller state fields and their subsequent processing. A MLIST 
privileged guest user may use this flaw to crash the QEMU 
process on the host resulting in DoS scenario. 
A command injection vulnerability has been reported to affect 
certain versions of Malware Remover. If exploited, this 

qnap -- malware_remover vulnerability allows remote attackers to execute arbitrary 2021-05-13 not yet TT ancien 
commands. This issue affects: QNAP Systems Inc. Malware calculated MISC 
Remover versions prior to 4.6.1.0. This issue does not affect: _—— 

QNAP Systems Inc. Malware Remover 3.x. 
An improper access control vulnerability has been reported to 
affect earlier versions of Music Station. If exploited, this 
vulnerability allows attackers to compromise the security of the 
: : software by gaining privileges, reading sensitive information, CVE-2020-36197 

Anap- music station executing commands, evading detection, etc. This issue affects: 2021-05-13 oie MISC 
QNAP Systems Inc. Music Station versions prior to 5.3.16 on QTS caer tmiee 
4.5.2; versions prior to 5.2.10 on QTS 4.3.6; versions prior to 
5.1.14 on QTS 4.3.3; versions prior to 5.3.16 on QuTS hero 
h4.5.2; versions prior to 5.3.16 on QuTScloud c4.5.4. 

An improper authorization vulnerability has been reported to affect 
QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, 
the vulnerability allows remote attackers to log in to a device. This 
issue affects: QNAP Systems Inc. HBS 3 versions prior to 

qnap -- nas v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 2021-05-13 not yet |CVE-2021-28799 
4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior calculated |MISC 
to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on 
QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud 
c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. 

HBS 2. QNAP Systems Inc. HBS 1.3 . 
radare2 -- radare2 In radare2 through 5.3.0 there is a double free vulnerability in the 2021-05-14 not yet ee 
pyc parse via a crafted file which can lead to DoS. calculated MISC 
CVE-2020-25713 
raptor -- A malformed input file can lead to a segfault due to an out of MISC 
xml_writer_start_element_common ||bounds array access in 2021-05-13 not yet /FEDORA 
= So = = ‘ calculated |MISC 
raptor_xml_writer_start_element_common. MLIST 
FEDORA 
A Zip Slip vulnerability was found in the oc binary in openshift- 
clients where an arbitrary file write is achieved by using a specially 
crafted raw container image (.tar file) which contains symbolic 
links. The vulnerability is limited to the command ‘oc image 
extract’. If a symbolic link is first created pointing within the tarball, 

red_hat -- red_hat this allows further symbolic links to bypass the existing path 2021-05-14 not yet vir circa 
check. This flaw allows the tarball to create links outside the calculated CONFIRM 
tarball's parent directory, allowing for executables or configuration Ea cae 
files to be overwritten, resulting in arbitrary code execution. The 
highest threat from this vulnerability is to confidentiality, integrity, 
as well as system availability. Versions up to and including 
openshift-clients-4.7.0-202104250659.p0.git.95881af are affected. 

RiyaLab CloudISO event item is added, special characters in 
: , specific field of time management page are not properly filtered, 

Ayala eriDUMISO which allow remote authenticated attackers can inject malicious 2021-05-11 te ae Pores 
JavaScript and carry out stored XSS (Stored Cross-site scripting) calculated | CONFIRM 
attacks. 
evm is a pure Rust implementation of Ethereum Virtual Machine. 

Prior to the patch, when executing specific EVM opcodes related 

ito memory operations that use “evm_core::Memory::copy_large’, 

the “evm’ crate can over-allocate memory when it is not needed, CVE-2021-29511 
rust -- evm aa : : f not yet j|MISC 

making it possible for an attacker to perform denial-of-service 2021-05-12 calculated |CONFIRM 

attack. The flaw was corrected in commit *19ade85°. Users should MISC. 
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ad wick Description Published eee — han 
CVE-2021-20277 
MLIST 
A flaw was found in Samba's libldb. Multiple, consecutive leading MISC 
samba -- libldb spaces in an LDAP attribute can lead to an out-of-bounds memory not vet MISC 
write, leading to a crash of the LDAP server process handling the || 2021-05-12 esi uiaed CONFIRM 
request. The highest threat from this vulnerability is to system FEDORA 
availability. FEDORA 
DEBIAN 
FEDORA 
CVE-2020-27840 
MISC 
A flaw was found in samba. Spaces used in a string around a MLIST 
sambace samba domain name (DN), while supposed to be ignored, can cause Hotvat CONFIRM 
invalid DN strings with spaces to instead write a zero-byte into 2021-05-12 Ginieicd MISC 
out-of-bounds memory, resulting in a crash. The highest threat FEDORA 
from this vulnerability is to system availability. FEDORA 
DEBIAN 
FEDORA 
An issue was discovered on Samsung Galaxy S3 19305 4.4.4 
devices. The WPA, WPA2, and WPA3 implementations 
reassemble fragments with non-consecutive packet numbers. An CVE-2020-26146 
samsung -- adversary can abuse this to exfiltrate selected fragments. This 2021-05-11 not yet MISC 
galaxy_s3_i9305_ devices vulnerability is exploitable when another device sends fragmented calculated ||MISC 
frames and the WEP, CCMP, or GCMP data-confidentiality MLIST 
protocol is used. Note that WEP is vulnerable to this attack by 
design. 
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 
eanmsunGks devices. The WEP, WPA, WPA2, and WPA3 implementations CVE-2020-26144 
lay 23 19305 devices accept plaintext A-MSDU frames as long as the first 8 bytes 2021-05-11 not yet MISC 
9 y¥_Se_ = correspond to a valid RFC1042 (i.e., LLC/SNAP) header for calculated |MISC 
EAPOL. An adversary can abuse this to inject arbitrary network MLIST 
packets independent of the network configuration. 
An issue was discovered on Samsung Galaxy S3 19305 4.4.4 
SarnisunGi< devices. The WEP, WPA, WPA2, and WPA3 implementations CVE-2020-26145 
lax a 19305 devices accept second (or subsequent) broadcast fragments even when 2021-05-11 not yet MISC 
9 y_Se_ = sent in plaintext and process them as full unfragmented frames. calculated |MISC 
An adversary can abuse this to inject arbitrary network packets MLIST 
independent of the network configuration. 
SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 
9.1, 9.2, 9.3, 10.0, used to install SAP Business One on SAP 
sap -- HANA, allows an attacker to inject code that can be executed by 2024-05-11 not yet v1 a 
business_one_chef_cookbook the application. An attacker could thereby control the behaviour of calculated MISC 
ithe application thereby highly impacting the integrity and fp 
availability of the application. 
Under certain conditions, SAP Business One Hana Chef 
Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install 
Sane SAP Business One for SAP HANA, allows an attacker to exploit nok vet CVE-2021-27616 
Ecce Sne: Chef cookbook an insecure temporary backup path and to access information 2021-05-11 aerated MISC 
Se a which would otherwise be restricted, resulting in Information MISC 
Disclosure vulnerability highly impacting the confidentiality, 
integrity and availability of the application. 
Under certain conditions, SAP Business One Chef cookbook, 
version - 9.2, 9.3, 10.0, used to install SAP Business One, allows 
O inece one chef ‘cookbook an attacker to exploit an insecure temporary folder for incoming & 2024-05-11 not yet near 
So ae outgoing payroll data and to access information which would calculated MISC 
otherwise be restricted, which could lead to Information Disclosure ee 
and highly impact system confidentiality, integrity and availability. 
SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 
2005, 2011, allows a low privileged user to search for attributes 
sane opminierce which are not supposed to be displayed to them. Although the 2024-05-11 not yet 1 aie 
2 search results are masked, the user can iteratively enter one calculated MISC 
character at a time to search and determine the masked attribute = 
value thereby leading to information disclosure. 
In specific situations SAP GUI for Windows, versions - 7.60, 7.70 
P ; is ae : é : CVE-2021-27612 
sap -- gui_for_windows forwards a user to specific malicious website which could contain 2024-05-11 not yet MISC 
malware or might lead to phishing attacks to steal credentials of calculated MISC 
the victim. frees 
SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, 
Gap ccihetweaver allow a high privileged attacker to inject malicious code by nokvet CVE-2021-27611 
P executing an ABAP report when the attacker has access to the 2021-05-11 eal MISC 
local SAP system. The attacker could then get access to data, MISC 








overwrite them, or execute a denial of service. 
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sap -- process_inegration 


The Integration Builder Framework of SAP Process Integration 
versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not check 
the file type extension of the file uploaded from local source. An 


attacker could craft a malicious file and upload it to the application, 


which could lead to denial of service and impact the availability of 
the application. 


2021-05-11 


not yet 
calculated 


CVE-2021-27618 
MISC 
MISC 








sap -- process_inegration 


The Integration Builder Framework of SAP Process Integration 
versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not 


sufficiently validate an XML document uploaded from local source. 


An attacker can craft a malicious XML which when uploaded and 
parsed by the application, could lead to Denial-of-service 
conditions due to consumption of a large amount of system 
memory, thus highly impacting system availability. 


2021-05-11 


not yet 
calculated 


CVE-2021-27617 
MISC 
MISC 








scalance -- xm-400_and_xr-500 


An unauthenticated remote attacker could create a permanent 
denial-of-service condition by sending specially crafted OSPF 
packets. Successful exploitation requires OSPF to be enabled on 
an affected device on the SCALANCE XM-400, XR-500 (All 
versions prior to v6.4). 


2021-05-12 


not yet 
calculated 


CVE-2020-28393 
MISC 
MISC 








schedmd -- slurm 


SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x 
before 20.11.7 allows remote code execution as SlurmUser 
because use of a PrologSlurmctld or EpilogSlurmctld script leads 
ito environment mishandling. 


2021-05-13 


not yet 
calculated 


CVE-2021-31215 
CONFIRM 
CONFIRM 








simatic -- 
hmi_comfort_outdoor_panels 


A vulnerability has been identified in SIMATIC HMI Comfort 
Outdoor Panels 7\" & 15\" (incl. SIPLUS variants) (All versions < 
V16 Update 4), SIMATIC HMI Comfort Panels 4\" - 22\" (incl. 
SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI 
KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and 
KTP900F (All versions < V16 Update 4), SIMATIC WinCC 
Runtime Advanced (All versions < V16 Update 4). SmartVNC has 
an out-of-bounds memory access vulnerability that could be 
triggered on the server side when sending data from the client, 
which could result in a Denial-of-Service condition. 


2021-05-12 


not yet 
calculated 


CVE-2021-25660 
MISC 








simatic -- 
hmi_comfort_outdoor_panels 


A vulnerability has been identified in SIMATIC HMI Comfort 
Outdoor Panels 7\" & 15\" (incl. SIPLUS variants) (All versions < 
V16 Update 4), SIMATIC HMI Comfort Panels 4\" - 22\" (incl. 
SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI 
KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and 
KTP9OOF (All versions < V16 Update 4), SIMATIC WinCC 
Runtime Advanced (All versions < V16 Update 4). SmartVNC has 
an out-of-bounds memory access vulnerability that could be 
triggered on the client side when sending data from the server, 
which could result in a Denial-of-Service condition. 


2021-05-12 


not yet 
calculated 


CVE-2021-25661 
MISC 








simatic -- 
hmi_comfort_outdoor_panels 


SmartVNC client fails to handle an exception properly if the 
program execution process is modified after sending a packet 
from the server, which could result in a denial-of-service condition 
on the SIMATIC HMIs/WinCC Products SIMATIC HMI Comfort 
Outdoor Panels 7’ and 15’ (incl. SIPLUS variants), SIMATIC HMI 
Comfort Panels 4’to 22’ (incl. SIPLUS variants), SIMATIC HMI 
KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, and 
KTP900F, SIMATIC WinCC Runtime Advanced (All versions prior 
ito v16 Update 4). 


2021-05-12 


not yet 
calculated 


CVE-2021-25662 
MISC 
MISC 








simatic -- hmi_comfort_panels 


A vulnerability has been identified in SIMATIC HMI Comfort 
Panels 1st Generation (incl. SIPLUS variants) (All versions < V16 
Update 4), SIMATIC HMI KTP Mobile Panels (All versions < V16 
Update 4). Specially crafted packets sent to port 161/udp can 
cause the SNMP service of affected devices to crash. A manual 


restart of the device is required to resume operation of the service. 


2021-05-12 


not yet 
calculated 


CVE-2019-19276 
MISC 








simatic -- multiple_hmi_products 








A vulnerability has been identified in SIMATIC HMI Comfort 
Outdoor Panels 7\" & 15\" (incl. SIPLUS variants) (All versions < 
V16 Update 4), SIMATIC HMI Comfort Panels 4\" - 22\" (incl. 
SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI 
KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and 
KTP9OOF (All versions < V16 Update 4), SIMATIC WinCC 
Runtime Advanced (All versions < V16 Update 4). SmartVNC has 
a heap allocation leak vulnerability in the device layout handler on 
client side, which could result in a Denial-of-Service condition. 











2021-05-12 





not yet 
calculated 





CVE-2021-27386 
MISC 
MISC 
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that 403s are returned whether the user exists or not if a user 
cannot switch to a user or if the user does not exist. The patch for 
this issue is available for branch 3.4. 

















Prima ar, : CVSS Source & Patch 
Vendor -- Proiick Bescmpron eubiiehed Score Info 
A vulnerability has been identified in SIMATIC HMI Comfort 
Outdoor Panels 7\" & 15\" (incl. SIPLUS variants) (All versions < 
V16 Update 4), SIMATIC HMI Comfort Panels 4\" - 22\" (incl. 
SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI CVE-2021-27384 
simatic -- multiple_hmi_products KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and 2021-05-12 not yet MISC... 
KTP900F (All versions < V16 Update 4), SIMATIC WinCC calculated MISC 
Runtime Advanced (All versions < V16 Update 4). SmartVNC has eee 
an out-of-bounds memory access vulnerability in the device layout 
handler, represented by a binary data stream on client side, which 
can potentially result in code execution. 
[A remote attacker could send specially crafted packets to a 
SmartVNC device layout handler on the client side, which could 
influence the number of resources consumed and result in a 
simatic -- multiple_hmi_products denial-of-service condition (infinite loop) on the SIMATIC not yet oo 
a HMIs/WinCC Products SIMATIC HMI Comfort Outdoor Panels 7’ 2021-05-12 calculated IIMISC 
and 15’ (incl. SIPLUS variants), SIMATIC HMI Comfort Panels 4’to MISC 
22’ (incl. SIPLUS variants), SIMATIC HMI KTP Mobile Panels ——— 
KTP400F, KTP700, KTP700F, KTP900, and KTP900F, SIMATIC 
WinCC Runtime Advanced (All versions prior to v16 Update 4). 
SmartVNC has a heap allocation leak vulnerability in the server 
‘Tight encoder, which could result in a denial-of-service condition 
on the SIMATIC HMIs/WinCC Products SIMATIC HMI Comfort CVE-2021-27383 
simatic -- multiple_hmi_products Outdoor Panels 7’ and 15’ (incl. SIPLUS variants), SIMATIC HMI 2021-05-12 not yet |MISC 
Comfort Panels 4’to 22’ (incl. SIPLUS variants), SIMATIC HMI calculated |MISC 
KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, and MISC 
KTP900F, SIMATIC WinCC Runtime Advanced (All versions prior 
ito v16 Update 4). 
A vulnerability has been identified in SIMATIC NET CP 343-1 
Advanced (incl. SIPLUS variants) (All versions), SIMATIC NET CP 
ae : 343-1 Lean (incl. SIPLUS variants) (All versions), SIMATIC NET 
Bimal: mititple produers CP 343-1 Standard (incl. SIPLUS variants) (Alll versions). 2021-0642 || Over oe 
Specially crafted packets sent to TCP port 102 could cause a calculated |Milsy 
Denial-of-Service condition on the affected devices. A cold restart 
might be necessary in order to recover. 
SIS SIS-REWE Go before 7.7 SP17 allows XSS: CVE-2021-31537 
sis -- sis-rewe_go rewe/prod/web/index.php (affected parameters are config, version, 2021-05-11 not yet MISC 
win, db, pwd, and user) and /rewe/prod/web/rewe_go_check.php calculated |MISC 
(version and all other parameters). MISC 
An issue was discovered in Smartstore (aka SmartStoreNET 
Sinentslone) = ainallstone through 4.1.1. (ee eee oe eee oo oo 
call HtmlUtils.SanitizeHtml on certain text for a forum post. calcurated jis 
An issue was discovered in Smartstore (aka SmartStoreNET 
Smalls -Smanetole through 4.1.1. oni ee yates ale does al 2021-05-12 not yet |CVE-2021-32607 
HtmlUtils.SanitizeHtml on a private message. calculated MISe 
p 9 
solarwinds -- serv-u SolarWinds Serv-U before 15.2.3 mishandles the user-supplied 2021-05-11 not yet CVE-2021-32604 
SenderEmail parameter. calculated ||MISC 
SonicWall Email Security Virtual Appliance version 10.0.9 and 
eonicwallz oe he Haha! pines aa password that is reg hearer 
: : F : used at initial setup. An attacker could exploit this not ye - = 
pial Secunty vidal applies transitional/temporary user account from the trusted domain to ene leas calculated |CONFIRM 
access the Virtual Appliance remotely only when the device is 
freshly installed and not connected to Mysonicwall. 
Speco Web Viewer through 2021-05-12 allows Directory Traversal notvat CVE-2021-32572 
speco -- web_viewer via GET request for a URI with /.. at the beginning, as 2021-05-12 Gnieiea MISC 
demonstrated by reading the /etc/passwd file. MISC 
Squirrelly is a template engine implemented in JavaScript that 
works out of the box with ExpressJS. Squirrelly mixes pure 
template data with engine configuration options through the 
squirrally:<<‘squirrell Express render API. By overwriting internal configuration options Viet Vet CVE-2021-32819 
7 ved y remote code execution may be triggered in downstream 2021-05-14 | a d MISC 
applications. There is currently no fix for these issues as of the eaieatee en 
publication of this CVE. The latest version of squirrelly is currently 
8.0.8. For complete details refer to the referenced GHSL-2021- 
023. 
Symfony is a PHP framework for web and console applications 
and a set of reusable PHP components. The ability to enumerate 
users was possible without relevant permissions due to different CVE-2021-21424 
symfony -- symfony handling depending on whether the user existed or not when 2024-05-13 not yet ic ##8#8©| 
attempting to use the switch users functionality. We now ensure calculated |v 


CONFIRM 
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Synapse is a Matrix reference homeserver written in python (pypi 
package matrix-synapse). Matrix is an ecosystem for open 
federated Instant Messaging and VoIP. In Synapse before version 
1.33.2 "Push rules" can specify conditions under which they will 


match, including “event_match’, which matches event content Se Acer Se tah 


punapet sayneper against a pattern including wildcards. Certain patterns can cause 2021-05-11 Pig ae nib 
very poor performance in the matching engine, leading to a denial- MISC. 


of-service when processing moderate length events. The issue is 
patched in version 1.33.2. A potential workaround might be to 
prevent users from making custom push rules, by blocking such 
requests at a reverse-proxy. 


An exploitable denial-of-service vulnerability exists in Systemd 
245. A specially crafted DHCP FORCERENEW packet can cause 
a server running the DHCP client to be vulnerable to a DHCP ACK|| 2021-05-10 
spoofing attack. An attacker can forge a pair of FORCERENEW 
and DCHP ACK packets to reconfigure the server. 








systemd -- dhcp_client not yet ||CVE-2020-13529 


calculated ||MISC 






































teamcity -- intelli Information disclosure in the TeamCity plugin for IntelliJ before not yet CVE-2021-26309 
2020.2.2.85899 was possible because a local temporary file had 2021-05-11 calculated MISC 
Insecure Permissions. MISC 
teamcity -- intelli In the TeamCity IntelliJ plugin before 2020.2.2.85899, DoS was | 5554 9.4, | notyet es 
possible. calculated MISC 
A vulnerability has been identified in Tecnomatix Plant Simulation 
(All versions < V16.0.5). The PlantSimCore.dll library lacks proper 
validation of user-supplied data when parsing SPP files. This not vet CVE-2021-27398 
tecnomatix -- plant_simulation could result in a stack based buffer overflow, a different 2021-05-12 Sea MISC 
vulnerability than CVE-2021-27396. An attacker could leverage MISC 
this vulnerability to execute code in the context of the current 
process. (ZDI-CAN-13290) 
A vulnerability has been identified in Tecnomatix Plant Simulation 
(All versions < V16.0.5). The PlantSimCore.dll library lacks proper CVE-2021-27397 
tecnomatix -- plant_simulation validation of user-supplied data when parsing SPP files. This 2021-05-12 not yet MISC... 
could result in a memory corruption condition. An attacker could calculated MISC 
leverage this vulnerability to execute code in the context of the —— 
current process. (ZDI-CAN-13287) 
A vulnerability has been identified in Tecnomatix Plant Simulation 
(All versions < V16.0.5). The PlantSimCore.dll library lacks proper 
tecnomatix -- plant_simulation validation of user-supplied data when parsing SPP files. This not yet CVE-2021-27396 
ca could result in a stack based buffer overflow, a different 2021-05-12 calculated MISC 
vulnerability than CVE-2021-27398. An attacker could leverage MISC 


this vulnerability to execute code in the context of the current 
process. (ZDI-CAN-13279) 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite computation for size of output after padding, 
*ComputeOutSize (https://github.com/tensorflow/tensorflow/blob/Og9692ae7b1671 
L55), does not check that the ‘stride’ argument is not 0 before 
doing the division. Users can craft special models such that 
*ComputeOutSize’ is called with ‘stride’ set to 0. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. TFLite's convolution 
code(https://github.com/tensorflow/tensorflow/blob/09c73bca7d648e96 1dd058982 
has multiple division where the divisor is controlled by the user 
tensorflow -- tensorflow and not checked to be non-zero. The fix will be included in 2021-05-14 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘“EmbeddingLookup’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/e4b29809543b250bc9b19678e 
tensorflow -- tensorflow L74). An attacker can craft a model such that the first dimension of|} 2021-05-14 
the ‘value’ input is 0. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 








983569e5dBde5565843d500cfi/ten: 


CVE-2021-29585 
MISC 
CONFIRM 


not yet 


202 nes calculated 


tensorflow -- tensorflow 








2d91a832249d45/tensorflow/lite/k 
not yet —— -29594 
calculated CONFIRM 


nm 


Be 








47 TE 299 dd Ho UbaBOAs rhoMAite/ke 


Yet |ICONFIRM 
calculated MISC 
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>block_size’ is 0. The fix will be included in TensorFlow 2.5.0. We 
will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


Se 


Prima’ ar, : CVSS Source & Patch 
Vendor -- Prsiick Bescnpron eubiiehed Score Info 
‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘DepthToSpace’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00ep1 Tocda2s4eVer Mee omoastite/ker 
tensorflow -- tensorflow L69). An attacker can craft a model such that ‘params- 2021-05-14 salud CONFIRM 


MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The optimized implementation of the *TransposeConv’ 
'TFLite operator is [vulnerable to a division by zero error] 


(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b7/3bcf9c00e017 


L5222). An attacker can craft a model such that ‘stride_{h,w} 
values are 0. Code calling this function must validate these 
arguments. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


not yet 
calculated 


a 


da284e7e7| Ransasigwitelsernel 


MISC 
CONFIRM 


ied 
Lig 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘BatchToSpaceNd’ TF Lite 
operator is vulnerable to a division by zero 


error(https://github.com/tensorflow/tensorflow/blob/b5ed552fe5589aee8bd8b191 


L82). An attacker can craft a model such that one dimension of 
the ‘block’ input is 0. Hence, the corresponding value in 
*block_shape’ is 0. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
'TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


2021-05-14 


not yet 
calculated 


———— 


44a06995 7H 1G A/isnsoriigudl e/ke 


MISC 
CONFIRM 


= 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The fix for CVE-2020-15209(https://cve.mitre.org/cgi- 
bin/cvename.cgi?name=CVE-2020-15209) missed the case when 
the target shape of ‘Reshape’ operator is given by the elements of 
a 1-D tensor. As such, the fix for the 


vulnerability(https://github.com/tensorflow/tensorflow/blob/9c1dc92()d2B4 SYBdacg 278 io6 


L1074) allowed passing a null-buffer-backed tensor with a 1D 
shape. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


ICVE-2021-29592 


CONFIRM 


(WbS2@6743/tensorflow/ 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. TFlite graphs must not have loops between nodes. 
However, this condition was not checked and an attacker could 
craft models that would result in infinite loop during evaluation. In 
certain cases, the infinite loop would be replaced by stack 
overflow due to too many recursive calls. For example, the ‘While’ 


could be tricked into a scneario where both the body and the loop 
subgraphs are the same. Evaluating one of the subgraphs means 
calling the ‘Eval’ function for the other and this quickly exhaust all 
stack space. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. Please consult our security 
guide(https://github.com/tensorflow/tensorflow/blob/master/SECUR 
for more information regarding the security model and how to 
contact us with issues and questions. 


2021-05-14 


TY.md) 


implementation(https://github.com/tensorflow/tensorflow/blob/106d¢f4fb89335a2c5ed7c895b7a 
not yet 
calculated 


CONFIRM 
MISC 
MISC 


leneeinap ieee 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the “SVDF* TFLite operator is 
vulnerable to a division by zero 


L102). An attacker can craft a model such that ‘params->rank’ 
would be 0. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


calculated 


CONFIRM 
MISC 


(Vien seo Ad wABtdRernels 








tensorflow -- tensorflow 











‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the “SpaceToBatchNd’ TFLite 
operator is [vulnerable to a division by zero error] 


(https://github.com/tensorflow/tensorflow/blob/412c7d9bb8f8a762chb266c9e7 3bfa 


L83). An attacker can craft a model such that one dimension of 
the ‘block’ input is 0. Hence, the corresponding value in 
*block_shape’ is 0. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
'TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 








2021-05-14 


ele 


not yet 
calculated 





65f29aac8/tensorfawiliteékemels 


MISC 
CONFIRM 








72) 
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learning. Incomplete validation in ‘“SparseAdd’ results in allowing 
attackers to exploit undefined behavior (dereferencing null 
pointers) as well as write outside of bounds of heap allocated 
data. The 
implementation(https://github.com/tensorflow/tensorflow/blob/656e4673b14acd783 
has a large set of validation for the two sparse tensor inputs (6 
tensors in total), but does not validate that the tensors are not 
empty or that the second dimension of **_indices’ matches the 
size of corresponding **_shape’. This allows attackers to send 
tensor triples that represent invalid sparse tensors to abuse code 
assumptions that are not protected by validation. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘Split’ TFLite operator is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/e2752089ef7ce9bcf3db0ec618 
tensorflow -- tensorflow L65). An attacker can craft a model such that ‘num_splits’ would 2021-05-14 
be 0. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 


dc778867f%4916c6d1cac2/tensort 
CVE-2021-29607 
not yet MISC 

calculated ||MISC 

CONFIRM 


tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
2021-05-14 








bd23ea11 9qOVHtAisbifk aot se/kerr 
for yet MISC 


calculated CONFIRM 








learning. The implementation of the “OneHot TFLite operator is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/f61c57bd42587§be108ec787f4 
L72). An attacker can craft a model such that at least one of the 
dimensions of ‘indices* would be 0. In turn, the ‘prefix_dim_size” 
value would become 0. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of the ‘DepthwiseConv’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c8/l 8198a5b2c0c! 
tensorflow -- tensorflow L288). An attacker can craft a model such that ‘input''s fourth 2021-05-14 
dimension would be 0. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Incomplete validation in ‘SparseReshape’ results in a 
denial of service based on a ‘CHECK ’-failure. The 4 

implementation(https://github.com/tensorflow/tensorflow/blob/e87b# 1 ge05caeb|7265as gabt4se MasnaaszooHtensdrl 
HonSOMioWw = telsonlow as no saris that ae input arguments specify a valid sparse BERRY Seanret ee 
tensor. The fix will be included in TensorFlow 2.5.0. We will also ——— 
cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, 
as these are the only affected versions. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Incomplete validation in ‘tf.raw_ops.CTCLoss’ allows an 
attacker to trigger an OOB read from heap. The fix will be included 
tensorflow -- tensorflow in TensorFlow 2.5.0. We will also cherrypick these commits on 2021-05-14 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 

*ParseAttrValue’ (https://github.com/tensorflow/tensorflow/blob/c22q88d6ff33031aafl 1 Se48aasiqean/ 4ed79ogaltenso 
L453) can be tricked into stack overflow due to recursion by giving 2024-05-14 not yet MISC... 

in a specially crafted input. The fix will be included in TensorFlow calculated CONFIRM 

2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, ————— 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa/4ed79595/tensorflow/c 


4 


9639057 9fbpRetensorfloywi /kel 


not yet CONFIRM 


tensorflow -- tensorflow 
calculated MISC 


2021-05-14 








beca - 4 PS YGDEB Pease ABBOMte/kKe 


MISC 
calculated CONFIRM 














CVE-2021-29613 
not yet CONFIRM 

calculated ||MISC 

MISC 








= 


tensorflow -- tensorflow 








L401) has undefined behavior due to dereferencing a null pointer not vet CVE-2021-29616 
tensorflow -- tensorflow in corner cases that result in optimizing a node with no inputs. The||_ 2021-05-14 Sohaiied CONFIRM 
fix will be included in TensorFlow 2.5.0. We will also cherrypick MISC 


this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 
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2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
'TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


Prima are : CVSS Source & Patch 
Vendor -- Prsiick Description eubiiehed Score Info 

‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via (CHECK’- CVE-2021-29617 
fail in “tf.strings.substr with invalid arguments. The fix will be not vet MISC 

tensorflow -- tensorflow included in TensorFlow 2.5.0. We will also cherrypick this commit 2021-05-14 eines CONFIRM 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and MISC 
'TensorFlow 2.1.4, as these are also affected and still in supported MISC 
range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. Passing a complex argument to ‘tf.transpose’ at the CVE-2021-29618 
same time as passing ‘conjugate=True’ argument results in a not vet MISC 

tensorflow -- tensorflow crash. The fix will be included in TensorFlow 2.5.0. We will also 2021-05-14 dered CONFIRM 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, MISC 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also MISC 
affected and still in supported range. 
‘TensorFlow is an end-to-end open source platform for machine 
learning. The ‘Prepare’ step of the ‘“SpaceToDepth’ TFLite 
operator does not check for 0 before 
division(https://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f1 0ed8a1 7dbI 6f5 96497 7 (28a aiden sAeERM/lite/k 

tensorflow -- tensorflow L67). An attacker can craft a model such that ‘params- 2021-05-14 Gaited CONFIRM 
>block_size’ would be zero. The fix will be included in TensorFlow MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger undefined behavior by binding to 
null pointer in “tf.raw_ops.ParameterizedTruncatedNormal’. This is 
because the 


does not validate input arguments before accessing the first 
element of ‘shape’. If ‘shape’ argument is empty, then 
*shape_tensor.flat<T>() is an empty array. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e7682 


2021-05-14 


not yet 
calculated 


ee 


0b48166c2 TAVESRDobignsortl 


2 


CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow by passing 
crafted inputs to ‘tf.raw_ops.StringNGrams’. This is because the 


L185) fails to consider corner cases where input would be split in 
such a way that the generated tokens should only contain padding 
elements. If input is such that ‘num_tokens’ is 0, then, for 
*data_start_index=0° (when left padding is present), the marked 
line would result in reading ‘data[-1]°. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc¢ 


2021-05-14 


not yet 
calculated 


SS 


59e468d9781741ac/7d01bf/tensorf 


CVE-2021-29542 
CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.Reverse’. This is because the 


L76) performs a division based on the first dimension of the tensor 
argument. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac1 


2021-05-14 


not yet 
calculated 


eS 


a8bi fag 1 GGSa 2024 aBOAHE n sort 


CONFIRM 
MISC 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a null pointer dereference in the 
implementation of “tf.raw_ops.SparseFillEmptyRows.. This is 
because of missing 


L231) that was covered under a ‘TODO’. If the ‘dense_shape’ 
tensor is empty, then ‘dense_shape_t.vec<>() would cause a null 
pointer dereference in the implementation of the op. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 





validation(https://github.com/tensorflow/tensorflow/blob/fdc82089d406e28 1 c628a9, 


2021-05-14 








771336bf8 
not yet 
calculated 





=e 


TeRpeptensgebw’4 





[eo] 


CONFIRM 
MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a null pointer dereference in the 
implementation of ‘tf.raw_ops.EditDistance’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/79864b542f9ffdc9ca 


L159) has incomplete validation of the input parameters. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


b255631f7 cROVEA 22S 172884 orflov 
hot yet 


calculated 


CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in ‘tf.raw_ops.SparseConcat’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b90 


takes the values specified in “shapes[0]’ as dimensions for the 
output shape. The “TensorShape” 
constructor(https://github.com/tensorflow/tensorflow/blob/6f989689 
L188) uses a ‘CHECK’ operation which triggers when 


*InitDims (https://github.com/tensorflow/tensorflow/blob/6f9896890¢ 


L296) returns a non-OK status. This is a legacy implementation of 
the constructor and operations should use 
*BuildTensorShapeBase’ or “AddDimWithStatus* to prevent 
*CHECK’-failures in the presence of overflows. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


Aapadaenann4b3on 


a6c222cbce794c39703e87/tensart 


c4c703ae0a0845394086e2e1e523299/tensorflow, 


aibsGeze 


= 


CVE-2021-29534 
(NGES23 299/tensorflow/c 
CONFIRM 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by exploiting a 
*CHECK’-failure coming from the implementation of 
‘tf.raw_ops.RFFT’. Eigen code operating on an empty matrix can 


CVE-2021-29563 








TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


tensorflow -- tensorflow trigger on an assertion and will cause program termination. The fix || 2021-05-14 ad CONFIRM 

will be included in TensorFlow 2.5.0. We will also cherrypick this MISC 

commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 

and TensorFlow 2.1.4, as these are also affected and still in 

supported range. 

‘TensorFlow is an end-to-end open source platform for machine 

learning. An attacker can cause a denial of service by exploiting a 

*CHECK’-failure coming from the implementation of notvet CVE-2021-29562 
tensorflow -- tensorflow ‘tf.raw_ops.IRFFT-. The fix will be included in TensorFlow 2.5.0. 2021-05-14 ius MISC 

We will also cherrypick this commit on TensorFlow 2.4.2, CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by exploiting a 
*CHECK’-failure coming from ‘tf.raw_ops.LoadAndRemapMatrix’. 
This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad 


L222) assumes that the ‘ckpt_path’ is always a valid scalar. 
However, an attacker can send any other tensor as the first 
argument of ‘LoadAndRemapMatrix’. This would cause the rank 
*CHECK’ in ‘scalar<T>()() to trigger and terminate the process. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


54115c03cece54f6a1977b/tensorf 


not yet 
calculated 


CVE-2021-29561 
MISC 
CONFIRM 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
*QuantizedMul by passing in invalid thresholds for the 
quantization. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/87cf4 
L290) assumes that the 4 arguments are always valid scalars and 
tries to access the numeric value directly. However, if any of these 
tensors is empty, then *.flat<T>() is an empty buffer and 
accessing the element at position 0 results in overflow. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 





id3ea9949051e 


2021-05-14 





supported range. 








Oca3f07 1f¢Y09538a51cd0/tensorfl 


not yet 
calculated 





a 


CVE-2021-29535 
CONFIRM 
MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can access data outside of bounds of heap 
allocated array in ‘tf.raw_ops.UnicodeEncode’. This is because 
the 


assumes that the ‘input_value’/‘input_splits’ pair specify a valid 
sparse tensor. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/472c] FZ 8512083405 


STOMP by 


calculated 


2021+ 
I 
CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
‘tf.raw_ops.SparseSplit’. This is because the 


L530) accesses an array element based on a user controlled 
offset. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/699bif5d961 f0abfdes} agi Pep AChaB HOR IS ROSGrTioW 


2021-05-14 


calculated 


= 


CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.SparseMatMul’. The division by 0 
occurs deep in Eigen code because the ‘b’ tensor is empty. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


not yet 
calculated 


ICVE-2021-29557 
MISC 
CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.FusedBatchNorm’. This is because 
the 


L297) performs a division based on the last dimension of the *x” 
tensor. Since this is controlled by the user, an attacker can trigger 
a denial of service. The fix will be included in TensorFlow 2.5.0. 
We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/828f346274841 fa7505f70 


2021-05-14 


20 
not ye 
calculated 


e88caGWE2 2625 /2hitensorilc 


CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a ‘CHECK’ 
failure by passing an empty image to 
‘tf.raw_ops.DrawBoundingBoxes.’. This is because the 


L165) uses ‘CHECK_** assertions instead of “OP_REQUIRES* to 
validate user controlled inputs. Whereas ‘“OP_REQUIRES* allows 
returning an error condition back to the user, the ‘CHECK_* 
macros result in a crash if the condition is false, similar to ‘assert’. 
In this case, ‘height’ is 0 from the ‘images’ input. This results in 
*max_box_row_clamp’ being negative and the assertion being 
falsified, followed by aborting program execution. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80 


2021-05-14 


40ccca1404f343b5d55f9 1/tensorflc 


not yet 
calculated 


CVE-2021-29533 
CONFIRM 
MISC 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service via a FPE 
runtime error in ‘tf.raw_ops.DenseCountSparseOutput . This is 
because the 
implementation(https://github.com/tensorflow/tensorflow/blob/efff01 
L127) computes a divisor value from user data but does not check 
that the result is 0 before doing the division. Since ‘data’ is given 
by the ‘values* argument, ‘num_batch_elements’ is 0. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are 





also affected. 


Mf3b2d8ef6141 
2021-05-14 











as Och 0Gfat GVES26e4 {2@5S6rflow, 


calculated 





CONFIRM 
MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
*QuantizedReshape’ by passing in invalid thresholds for the 
quantization. This is because the 


L55) assumes that the 2 arguments are always valid scalars and 
tries to access the numeric value directly. However, if any of these 
tensors is empty, then *.flat<T>()° is an empty buffer and 
accessing the element at position 0 results in overflow. The fix will 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


CVE-2021-29536 
CONFIRM 
MISC 


implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e5/7 3fba362a5e53d4e74d5de6729933e/tensg 
not yet 
calculated 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a denial of service by controlling 
the values of ‘num_segments’ tensor argument for 
*UnsortedSegmentJoin’. This is because the 


L93) assumes that the ‘num_segments’ tensor is a valid scalar. 
Since the tensor is empty the ‘CHECK’ involved in *.scalar<T>()()° 
that checks that the number of elements is exactly 1 will be 
invalidated and this would result in process termination. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


implementation(https://github.com/tensorflow/tensorflow/blob/a2a6Q7db15c7cd01d/54d37e544 
not yet 
calculated 


ICVE-2021-29552 
CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 


L240) fails to terminate kernel execution if one validation condition 
fails. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


*MatrixTriangularSolve (https://github.com/tensorflow/tensorflow/blgb/8cae746d84 


2021-05-14 


calculated 


= 


MISC 
CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a division by zero to occur in 
*Conv2DBackpropFilter’. This is because the 


L522) computes a divisor based on user provided data (i.e., the 
shape of the tensors given as arguments). If all shapes are empty 
then ‘work_unit_size’ is 0. Since there is no check for this case 
before division, this results in a runtime exception, with potential to 
be abused for a denial of service. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


CVE-2021-29538 
MISC 
CONFIRM 


implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd94Bf924aa8cd62f87dbb7c3da/tensoffl 
not yet 
calculated 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a runtime division by zero error 
and denial of service in 
‘tf.raw_ops.QuantizedBatchNormWithGlobalNormalization’. This 
is because the 


does not validate all constraints specified in the op's 


The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation (https://github.com/tensorflow/tensorflow/blob/S5a9 fcaage 3c 7447 


contract(https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchN 


calculated 


Obibiepat! aqesessSadae tensor 
rmWithGlobertey AY tion). 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a segfault and denial of service 
via accessing data outside of bounds in 
‘tf.raw_ops.QuantizedBatchNormWithGlobalNormalization’. This 
is because the 


L189) assumes the inputs are not empty. If any of these inputs is 
empty, °.flat<T>() is an empty buffer, so accessing the element at 
index 0 is accessing data outside of bounds. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 





range. 








implementation(https://github.com/tensorflow/tensorflow/blob/55a97{caa9e99c7f37 


2021-05-14 


calculated 





obpbeha4 


dCS452BA35 a2T HAE sol 
CONFIRM 
MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger an integer division by zero 
undefined behavior in ‘tf.raw_ops.QuantizedBiasAdd’. This is 
because the implementation of the Eigen 
kernel(https://github.com/tensorflow/tensorflow/blob/61bca8bd5bag} 
L849) does a division by the number of elements of the smaller 
input (based on shape) without checking that this is not zero. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


¥468b2d97435d 


2021-05-14 


ie; 


a 


Raped io pS Giada Reis amore lk 


alculated 


MISC 
CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Calling 


‘tf.raw_ops.ImmutableConst (https:/Awww.tensorflow.org/api_docs/python/tf/raw_o 


with a ‘dtype’ of ‘tf.resource’ or ‘tf.variant’ results in a segfault in 
the implementation as code assumes that the tensor contents are 
pure scalars. We have patched the issue in 
4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release 
‘TensorFlow 2.5.0 containing the patch. TensorFlow nightly 
packages after this commit will also have the issue resolved. If 
using “tf.raw_ops.lmmutableConst’ in code, you can prevent the 
segfault by inserting a filter for the “dtype’ argument. 


2021-05-14 


ie; 


—————————————————— 


s/ImmutableConst) 


not yet 
alculated 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in “tf.raw_ops.QuantizeAndDequantizeV4Grad’. This 
is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/9507¢c145b5a7a43 


L163) does not validate the rank of the ‘input_* tensors. In turn, 
this results in the tensors being passes as they are to 


*QuantizeAndDequantizePerChannelGradientlmpl (https://github.cgm/tensorflow/t 


L306). However, the ‘vec<T>* method, requires the rank to 1 and 
triggers a ‘CHECK’ failure otherwise. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2 as this is the only other affected version. 


2021-05-14 
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not yet 
alculated 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in ‘tf.raw_ops.CTCGreedyDecoder’. This is because 
the 


implementation (https://github.com/tensorflow/tensorflow/blob/1615440b17b364b8 


L50) has a ‘CHECK_LT’ inserted to validate some invariants. 
When this condition is false, the program aborts, instead of 
returning a valid error to the user. This abnormal termination can 
be weaponized in denial of service attacks. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


ie; 
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alculated 
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tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can write outside the bounds of heap 
allocated arrays by passing invalid arguments to 
‘tf.raw_ops.Dilation2DBackpropInput’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/afd95fe65f1 5aea4d4) 


L322) does not validate before writing to the output array. The 
values for “h_out’ and ‘w_out’ are guaranteed to be in range for 
*out_backprop’ (as they are loop indices bounded by the size of 
the array). However, there are no similar guarantees relating 
*h_in_max’*/w_in_max’ and ‘in_backprop’. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a CHECK’ fail in PNG encoding 
by providing an empty input tensor as the pixel data. This is 
because the 


L60) only validates that the total number of pixels in the image 
does not overflow. Thus, an attacker can send an empty matrix for 
encoding. However, if the tensor is empty, then the associated 
buffer is ‘nullptr’. Hence, when calling 
*png::Writelmage ToBuffer (https://github.com/tensorflow/tensorflow, 
L93), the first argument (i.e., ‘image.flat<T>().data()) is NULL’. 
This then triggers the ‘CHECK_NOTNULL in the first line of 
*png::Writelmage ToBuffer (https://github.com/tensorflow/tensorflow, 
L349). Since ‘image’ is null, this results in ‘abort’ being called 
after printing the stacktrace. Effectively, this allows an attacker to 
mount a denial of service attack. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/e312¢0791ce486a80 


9d23110841 525c6F7c3289/tensorf 


bigble34 26079! cat Gas OcHiN SAT UBS TODSCOT7 CB: 


calculated 


blob/e312e079/ ce486a8009d23110841525c6f7 cB: 


CONFIRM 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.MaxPoolGradWithArgmax is vulnerable to a division 
by 0. The 








cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2 2762 \hjedhsGa/202 329i tensor 
tensorflow -- tensorflow L1034) fails to validate that the batch dimension of the tensor is 2021-05-14 Seicied CONFIRM 

non-zero, before dividing by this quantity. The fix will be included MISC 

in TensorFlow 2.5.0. We will also cherrypick this commit on 

‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 

‘TensorFlow 2.1.4, as these are also affected and still in supported 

range. 

‘TensorFlow is an end-to-end open source platform for machine 

learning. The implementation of *MatrixDiag*” 

operations(https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1 cfaf8f4b6e8 Seb857e9e4 cof ftsnsoutlaw/cote 
hancoriowse tensoniow L197) does not validate that the tensor arguments are non-empty. 2024-05-14 not yet MISC... 

The fix will be included in TensorFlow 2.5.0. We will also calculated |~ 7; 


CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *tf.raw_ops.MaxPoolGrad’ is 
vulnerable to a heap buffer overflow. The 


L203) fails to validate that indices used to access elements of 
input/output arrays are valid. Whereas accesses to 
‘input_backprop_flat’ are guarded by “FastBoundsCheck’, the 
indexing in ‘out_backprop_flat’ can result in OOB access. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/ab1e$44b48c82cb71 


2021-05-14 


eo 


93f4362b4dd38f457 7a 1 cf/tensorillc 


not yet 


calculated 
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MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The API of ‘tf.raw_ops.SparseCross’ allows 
combinations which would result in a ‘CHECK’-failure and denial 
of service. This is because the 


L116) is tricked to consider a tensor of type ‘tstring’ which in fact 
contains integral elements. Fixing the type confusion by 
preventing mixing (DT_STRING* and ‘DT_INT64° types solves 
this issue. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed 


2021-05-14 


ee 
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not yet 


calculated 


ReGERsEaIDastEns¢! 
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tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.MaxPool3DGradGrad’ exhibits undefined behavior by 
dereferencing null pointers backing attacker-supplied empty 
tensors. The 
implementation(https://github.com/tensorflow/tensorflow/blob/72fe7 
L703) fails to validate that the 3 tensor inputs are not empty. If any 
of them is empty, then accessing the elements in the tensor 
results in dereferencing a null pointer. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
TensorFlow 2.1.4, as these are also affected and still in supported 








range. 
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division by 0. Additionally, if the shape of the two tensors is not 
valid, an Eigen assertion can be triggered, resulting in a program 
crash. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/42034603003965bffac51ae171b5 
not yet 
calculated 


Primary oar j Cvss Source & Patch 
Vendor -- Product Bescmpron eubiiehed Score Info 

‘TensorFlow is an end-to-end open source platform for machine 

learning. A malicious user could trigger a division by 0 in 

*Conv3D° implementation. The 

1801565e002d/tensorfl 
L145) does a modulo operation based on user controlled input. 
Seip : . : CVE-2021-29517 
langorflow tensoniow Thus, when ‘filter’ has a 0 as the fifth element, this results in a 2024-05-14 CONFIRM 


MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of ‘tf.raw_ops.SdcaOptimizer’ 
triggers undefined behavior due to dereferencing a null pointer. 
The 


implementation(https://github.com/tensorflow/tensorflow/blob/60a44c8b6 192a4699 


does not validate that the user supplied arguments satisfy all 
constraints expected by the 


op(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SdcaOptjmizer). 


The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
‘TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


calculated 
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MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Missing validation between arguments to 
‘tf.raw_ops.Conv3DBackprop* operations can result in heap 
buffer overflows. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/481 4fafbOca6b5ab58 


L153) assumes that the ‘input’, ‘filter_sizes’ and ‘out_backprop” 
tensors have the same shape, as they are accessed in parallel. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Calling ‘tf.raw_ops.RaggedTensorToVariant’ with 
arguments specifying an invalid ragged tensor results in a null 
pointer dereference. The implementation of 
*RaggedTensorToVariant™ 


operations(https://github.com/tensorflow/tensorflow/blob/904b3926@d1c6c70380d 


L40) does not validate that the ragged tensor argument is non- 
empty. Since ‘batched_ragged* contains no elements, 
*batched_ragged.splits’ is a null vector, thus 
*batched_ragged.splits(0)° will result in dereferencing ‘nullptr’. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


1 Sd282d248a fe ‘GhaAt Kgaserflow. 
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calculated 
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tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in ‘tf.raw_ops.AddManySparseToTensorsMap’. This 
is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae 


takes the values specified in “sparse_shape’ as dimensions for 
the output shape. The ‘TensorShape” 


constructor(https://github.com/tensorflow/tensorflow/blob/6f989689)c4c703ae0a08 5394086e4e( adZizqo4ensarflow. 


L188) uses a ‘CHECK’ operation which triggers when 
*InitDims (https://github.com/tensorflow/tensorflow/blob/6f9896890¢ 
L296) returns a non-OK status. This is a legacy implementation of 
the constructor and operations should use 
*BuildTensorShapeBase’ or “AddDimWithStatus* to prevent 
*CHECK’-failures in the presence of overflows. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
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‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.FractionalAvgPoolGrad’ is vulnerable to a heap buffer 
overflow. The 
implementation(https://github.com/tensorflow/tensorflow/blob/dcba7]96a28364d6d7 
tensorflow -- tensorflow fails to validate that the pooling sequence arguments have enough|| 2021-05-14 
elements as required by the ‘out_backprop’ tensor shape. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. If the ‘splits’ argument of ~RaggedBincount’ does not 
specify a valid 

*SparseTensor (https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTens 
then an attacker can trigger a heap buffer overflow. This will cause 
a read from outside the bounds of the ‘splits’ tensor buffer in the 
implementation of the ‘RaggedBincount™ 

tensorflow -- tensorflow op(https://github.com/tensorflow/tensorflow/blob/8b677d79167 799f/ 1242 idGfa044 
L446). Before the ‘for loop, ‘batch_idx* is set to 0. The attacker 
sets ‘splits(0) to be 7, hence the ‘while’ loop does not execute 
and “batch_idx’ remains 0. This then results in writing to ‘out(-1, 
bin)’, which is before the heap allocated buffer for the output 
tensor. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, 
as these are also affected. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
*tf.raw_ops.Conv2DBackpropInput’. This is because the 
implementation (https://github.com/tensorflow/tensorflow/blob/b40060c9f697b044e 
tensorflow -- tensorflow L655) does a division by a quantity that is controlled by the caller. |} 2021-05-14 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.Conv2D’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/9880¢7bd83f144af14) 
tensorflow -- tensorflow L263) does a division by a quantity that is controlled by the caller. |} 2021-05-14 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
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learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.QuantizedConv2D’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/00e9a4d67d76703fa 
tensorflow -- tensorflow L259) does a division by a quantity that is controlled by the caller. |} 2021-05-14 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.QuantizedMul’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/55900e961ed4a23b 83920249 PME eRe t SENS Gri 
tensorflow -- tensorflow L198) does a division by a quantity that is controlled by the caller. |} 2021-05-14 Grucia 
The fix will be included in TensorFlow 2.5.0. We will also CONFIRM 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.MaxPoolGradWithArgmax can cause reads outside of 
bounds of heap allocated data if attacker supplies specially crafted 
inputs. The 


L50) assumes that the ‘input_min® and ‘input_max® tensors have 
at least one element, as it accesses the first element in two 
arrays. If the tensors are empty, °.flat<T>() is an empty object, 
backed by an empty array. Hence, accesing even the Oth element 
is a read outside the bounds. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation(https://github.com/tensorflow/tensorflow/blob/ac32§eaa3870491 478220004e91a790643/tensor 


CVE-2021-29569 
CONFIRM 
MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *tf.raw_ops.AvgPool3DGrad’ is 
vulnerable to a heap buffer overflow. The 


L450) assumes that the ‘orig_input_shape* and ‘grad* tensors 
have similar first and last dimensions but does not check that this 
assumption is validated. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/d80ffha9702dc19d1 co 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Calling TF operations with tensors of non-numeric types 
when the operations expect numeric tensors result in null pointer 
dereferences. The conversion from Python array to C++ 


L169) is vulnerable to a type confusion. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef | p3ch73¢905 13da4 fauihretbe he wnsorfiowipython 


calculated CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. If the ‘splits’ argument of ~RaggedBincount’ does not 
specify a valid 


then an attacker can trigger a heap buffer overflow. This will cause 
a read from outside the bounds of the ‘splits’ tensor buffer in the 
implementation of the ‘RaggedBincount™ 


L433). Before the ‘for loop, ‘batch_idx’ is set to 0. The user 
controls the ‘splits’ array, making it contain only one element, 0. 
‘Thus, the code in the ‘while’ loop would increment ‘batch_idx 
and then try to read ‘splits(1)’, which is outside of bounds. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are 
also affected. 


*SparseTensor (https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTens 


op(https://github.com/tensorflow/tensorflow/blob/8b677d79167 799f/ 1242 1idGf&044 7eR02¥e4 SEAR GRMw/core/kern 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Optimized pooling implementations in TFLite fail to check 
that the stride arguments are not 0 before calling 
*ComputePaddingHeightWidth (https://github.com/tensorflow/tensa 
Since users can craft special models which will have ‘params- 
>stride_{height,width} be zero, this will result in a division by zero. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


not yet 
2021-05-14 MISC 
calculated CONFIRM 
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tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
*QuantizedResizeBilinear by passing in invalid thresholds for the 
quantization. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/507 11 
L706) assumes that the 2 arguments are always valid scalars and 
tries to access the numeric value directly. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 
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‘TensorFlow is an end-to-end open source platform for machine 
learning. In eager mode (default in TF 2.0 and later), session 
operations are invalid. However, users could still call the raw ops 
associated with them and trigger a null pointer dereference. The 
implementation(https://github.com/tensorflow/tensorflow/blob/eebb$6c2830d48597 055d247cORQaebasal4edaitensir 
tensorflow -- tensorflow dereferences the session state pointer without checking if it is 2024-05-14 not yet MISC... 

valid. Thus, in eager mode, ‘ctx->session_state()° is nullptr and calculated CONFIRM 
the call of the member function is undefined behavior. The fix will Te 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow to occur in 
*Conv2DBackpropFilter’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd94Bf924aa8cd62f87dbb7c3da/tensoffl 
L497) computes the size of the filter tensor but does not validate CVE-2021-29540 
tensorflow -- tensorflow that it matches the number of elements in ‘filter_sizes’. Later, 2024-05-14 not yet CONFIRM 
when reading/writing to this buffer, code uses the value computed calculated MISC. 
here, instead of the number of elements in the tensor. The fix will ieee 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Specifying a negative dense shape in 
‘tf.raw_ops.SparseCountSparseOutput results in a segmentation 
fault being thrown out from the standard library as ‘std::vector™ 
invariants are broken. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/8f7b6Dee8c0206a2c49802e3a4d | bb55d2bc0624/tensorf 
L213) assumes the first element of the dense shape is always Rot vet CVE-2021-29521 
positive and uses it to initialize a ‘BatchedMap<T> (i.e., 2021-05-14 y MISC 
*std::vector<abs!::flat_hash_map<int64, T>> (https://github.com/tensorflow/tensorfl WAUSLAF Lp eDeaFaEBASa2c9980de 
data structure. If the ‘shape’ tensor has more than one element, 

*num_batches’ is the first value in ‘shape’. Ensuring that the 
*dense_shape’ argument is a valid tensor shape (that is, all 
elements are non-negative) solves this issue. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2 and TensorFlow 2.3.3. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The ‘tf.raw_ops.Conv3DBackprop* operations fail to 
validate that the input tensors are not empty. In turn, this would 
result in a division by 0. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/a91bh59769f19146d a0c200602443 78682 of do 4ensorfl 
tensorflow -- tensorflow L450) does not check that the divisor used in computing the shard 2024-05-14 not yet CONFIRM 

size is not zero. Thus, if attacker controls the input sizes, they can calculated MISC. 
trigger a denial of service via a division by zero error. The fix will re 
be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a division by 0 in 
‘tf.raw_ops.Conv2DBackpropFilter’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/496c4630e51c1a478 099b 84.32 YabenaPadebebAen sort 
does a modulus operation where the divisor is controlled by the 2021-05-14 eeicaied MISC 
caller. The fix will be included in TensorFlow 2.5.0. We will also CONFIRM 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a heap buffer overflow in 
‘tf.raw_ops.QuantizedResizeBilinear by manipulating input values 
so that float rounding results in off-by-one error in accessing 
image elements. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/44b71486c0143f68b56c34e2d01¢ 


L66) computes two integers (representing the upper and lower 
bounds for interpolation) by ceiling and flooring a floating point 
value. For some values of ‘in’, ‘interpolation->upper[i]) might be 
smaller than ‘interpolation->lower[i]’. This is an issue if 
‘interpolation->upper[i] is capped at ‘in_size-1° as it means that 
‘interpolation->lower[i]’ points outside of the image. Then, in the 
interpolation 


code(https://github.com/tensorflow/tensorflow/blob/44b7f486c0143168b56c34e2d0 


L264), this would result in heap buffer overflow. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


not yet 


calculated MIS 


e146ee445)1 34a/tensorflow/core/ke 


1146ee445134a/tensonf 


CVE-2021-29529 


CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can force accesses outside the bounds of 
heap allocated arrays by passing in invalid tensor values to 
‘tf.raw_ops.RaggedCross’. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/efeaQ 


L487) lacks validation for the user supplied arguments. Each of 
the above branches call a helper function after accessing array 
elements via a **_list[next_*]’ pattern, followed by incrementing 
the “next_* index. However, as there is no validation that the 
*next_** values are in the valid range for the corresponding **_list’ 
arrays, this results in heap OOB reads. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


Bb38fb8d3b81 762237dc85e, 


not yet 


calculated ASS 


D7 9cc5fc6e87/tensorfic 
ICVE-2021-29532 


CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in caused by an integer overflow in constructing a 
new tensor shape. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/0908¢2f2397c09933 


b901b067f6495a5b96760b/tensorfl 
0c4c703ae0a08 5394086e4e| aSZi2a9Hensarflow 


L70) builds a dense shape without checking that the dimensions 
would not result in overflow. The ‘TensorShape” 
constructor(https://github.com/tensorflow/tensorflow/blob/6f989689 
L188) uses a ‘CHECK’ operation which triggers when 


“|nitDims' (https://github.com/tensorflow/tensorflow/blob/6f989689044e/0sae0a084 


L296) returns a non-OK status. This is a legacy implementation of 
the constructor and operations should use 
*BuildTensorShapeBase’ or ‘AddDimWithStatus’ to prevent 
*CHECK’-failures in the presence of overflows. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


not yet 


eaKeNRfedd tse eohensorfiow ley 


= 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a null pointer dereference by 
providing an invalid ‘permutation’ to 
‘tf.raw_ops.SparseMatrixSparseCholesky’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/O80f1 
L86) fails to properly validate the input arguments. Although 
*Validatelnputs* is called and there are checks in the body of this 
function, the code proceeds to the next line in ‘Validatelnputs” 
since 


L48) is a macro that only exits the current function. Thus, the first 
validation condition that fails in “Validatelnputs’ will cause an early 
return from that function. However, the caller will continue 
execution from the next line. The fix is to either explicitly check 
*context->status()° or to convert ‘Validatelnputs’ to return a 
‘Status’. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 





affected and still in supported range. 











19e257589f78hBffb 7 5debf5 


MISC 








84168aa6062/tensorflo 


CVE-2021-29530 
*OP_REQUIRES ‘(https://github.com/tensorflow/tensorflow/blob/O8Qf12G22O5S8F 7 SRE / Ete HSe@NFERA6062/tensar 
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have 0 or negative size. Later writes to the output tensor would 
then cause a null pointer dereference. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


Primary ae j Cvss Source & Patch 
Vendor -- Product Bescnpton eubiiehed | Score Info 

‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can trigger a dereference of a null pointer in 
‘tf.raw_ops.StringNGrams’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc/59e468d97/81741ac7d0 1bf/tensort 
L74) does not fully validate the ‘data_splits’ argument. This would 
result in 

tensorflow -- tensorflow “ngrams_data’(https://github.com/tensorflow/tensorflow/blob/1cdd4Haj428ee1 Dec 59ed6Ge0 74 R 6 } soffl 

; O2ZT-05- | 

L110) to be a null pointer when the output would be computed to calculated CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. A specially crafted TFLite model could trigger an OOB 
read on heap in the TFLite implementation of 


If ‘axis_value’ is not a value between 0 and 
*NumDimensions(input)’, then the ‘SizeOfDimension” 
function(https://github.com/tensorflow/tensorflow/blob/102b211d892 
L150) will access data outside the bounds of the tensor shape 
array. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


*Split_V (https://github.com/tensorflow/tensorflow/blob/c59c37e7b20563967da81 3fa50fe20b21 f4da683/tensorflow/lite/ 
not yet 
‘7/26AICaRBBAY 


(abe rRase 


CVE-2021-29606 


CONFIRM. orflowslitey/ 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 

learning. The implementations of the ‘Minimum’ and ‘Maximum’ 
'TFLite operators can be used to read data outside of bounds of 
heap allocated objects, if any of the two input tensor arguments 
are empty. This is because the broadcasting 


L56) indexes in both tensors with the same index but does not 
validate that the index is within bounds. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


implementation (https://github.com/tensorflow/tensorflow/blob/0d45¢a 4ea04 1 b2 1b 7 bef8c7ée0 I 
calculated 


E-2024 - 


CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Due to lack of validation in 
‘tf.raw_ops.CTCBeamSearchDecoder’, an attacker can trigger 
denial of service via segmentation faults. The 


implementation (https://github.com/tensorflow/tensorflow/blob/a74768f8e4efbda4d 


L79) fails to detect cases when the input tensor is empty and 
proceeds to read data from a null buffer. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


Of ih Begéet FEVE2 2825 F2868sorflaw 
calculated |}. 


CONFIRM 
MISC 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
‘tf.raw_ops.FractionalMaxPoolGrad’ triggers an undefined 
behavior if one of the input tensors is empty. The code is also 
vulnerable to a denial of service attack as a ‘CHECK’ condition 
becomes false and aborts the process. The 


implementation(https://github.com/tensorflow/tensorflow/blob/169094888d50ce488 ForeStopat5 dl 


fails to validate that input and output tensors are not empty and 
are of the same rank. Each of these unchecked assumptions is 
responsible for the above issues. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 











range. 


calculated 
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tensorflow -- tensorflow 


constructor(https://github.com/tensorflow/tensorflow/blob/596c05a1 
L88) uses “OP_REQUIRES* to validate conditions, the first 
assertion that fails interrupts the initialization of ‘params’, making 
it contain invalid data. In turn, this might cause a heap buffer 
overflow, depending on default initialized values. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 





poapsyphyesgca 1 Ob8iVVei3b 


calculated 


Prima’ ae, : CVSS Source & Patch 
Vendor -- Proalick Pescmpron Published Score Info 
‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of 
*tf.raw_ops.MaxPool3DGradGrad’ is vulnerable to a heap buffer 
overflow. The 
implementation(https://github.com/tensorflow/tensorflow/blob/596c0)5a1 59b6fbb9e9ca1 Ob3F7 7H3b7244fa1 e9/tensorflc 
L696) does not check that the initialization of ‘Pool3dParameters” 
completes successfully. Since the 2021-2957 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of ‘tf.raw_ops.ReverseSequence’ 
allows for stack overflow and/or “CHECK’-fail based denial of 
service. The 


implementation(https://github.com/tensorflow/tensorflow/blob/5b3b07 1975e01 f0d2 


L118) fails to validate that “seq_dim* and ‘batch_dim* arguments 
are valid. Negative values for ‘seq_dim’ can result in stack 
overflow or ‘CHECK’-failure, depending on the version of Eigen 
code used to implement the operation. Similar behavior can be 
exhibited by invalid values of ‘batch_dim’. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick this commit on 
'TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


0c928b2a8f901cd53b90a7/tensorfl 


not yet 
calculated 


CVE-2021-29575 
CONFIRM 
MISC 





tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. The TFLite implementation of concatenation is 
vulnerable to an integer overflow 


issue(https://github.com/tensorflow/tensorflow/blob/7b7352a724b690b11bfaae2cd 


L76). An attacker can craft a model such that the dimensions of 
one of the concatenation input overflow the values of ‘int’. TFLite 
uses ‘int’ to represent tensor dimensions, whereas TF uses 
*int64°. Hence, valid TF models can trigger an integer overflow 
when converted to TFLite format. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 







4bc3907daf6285/tensorflow/lite/ké 


not yet 
calculated 


= 


CVE-2021-29601 
CONFIRM 
MISC 





tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. The implementation of *tf.raw_ops.FusedBatchNorm is 
vulnerable to a heap buffer overflow. If the tensors are empty, the 
same implementation can trigger undefined behavior by 
dereferencing null pointers. The 


implementation(https://github.com/tensorflow/tensorflow/blob/57d8@e0db5d1365f1 


fails to validate that ‘scale’, ‘offset’, ‘mean* and ‘variance’ (the 
last two only when required) all have the same number of 
elements as the number of channels of *x’. This results in heap 
out of bounds reads when the buffers backing these tensors are 
indexed past their boundary. If the tensors are empty, the 
validation mentioned in the above paragraph would also trigger 
and prevent the undefined behavior. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 






not yet 
calculated 


adcce848die1 bf89fdd4c7/tensorflp' 


CVE-2021-29583 
MISC 
CONFIRM 





tensorflow -- tensorflow 





‘TensorFlow is an end-to-end open source platform for machine 





learning. An attacker can trigger a denial of service via a 
*CHECK’-fail in converting sparse tensors to CSR Sparse 
matrices. This is because the 


implementation(https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e18 


does a double redirection to access an element of an array 
allocated on the heap. If the value at ‘indices(i, 0) is such that 
‘indices(i, 0) + 1° is outside the bounds of ‘csr_row_ptr’, this 
results in writing outside of bounds of heap allocated data. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 








2021-05-14 











dd4fba4829 


not yet 
calculated 





)f65e7790739/tensorfl 


CVE-2021-29545 
CONFIRM 
MISC 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. The implementation of 
*tf.raw_ops.MaxPoolGradWithArgmax can cause reads outside of 
bounds of heap allocated data if attacker supplies specially crafted 
inputs. The 


implementation(https://github.com/tensorflow/tensorflow/blob/31bd4026304677faa 


L130) assumes that the last element of ‘boxes’ input is 4, as 
required by [the op] 


(https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBound ingBoxesv?). 


Since this is not checked attackers passing values less than 4 can 
write outside of bounds of heap allocated objects and cause 
memory corruption. If the last dimension in ‘boxes: is less than 4, 
accesses similar to ‘tboxes(b, bb, 3) will access data outside of 
bounds. Further during code execution there are also writes to 
these indices. The fix will be included in TensorFlow 2.5.0. We will 
also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 
2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


not yet 
calculated 





a0b77602c6154171b9aect/tensar 


CVE-2021-29571 
MISC 
CONFIRM 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. A specially crafted TFLite model could trigger an OOB 
write on heap in the TFLite implementation of 
*ArgMin’/ArgMax (https://github.com/tensorflow/tensorflow/blob/10 
L59). If “axis_value’ is not a value between 0 and 
*NumDimensions(input)’, then the condition in the ‘if is never 
true, so code writes past the last valid element of ‘output_dims- 
>data’. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2b211d892f3abe14f845a72047809b39cc65ab/ten 


2021-05-14 


not yet 
calculated 


a 


CVE-2021-29603 
CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite implementation of hashtable lookup is 
vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/1a8e885b864c8 
L115) An attacker can craft a model such that ‘values’'s first 
dimension would be 0. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


f18198a5b2c0c! 
2021-05-14 


berapgde® 


calculated 


GCNEB/2O2Si0 ABH OAite/ke 


CONFIRM 
MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The TFLite code for allocating “TFLitelntArray’s is 
vulnerable to an integer overflow 


issue(https://github.com/tensorflow/tensorflow/blob/4ceffae632721452bf3501b736 


L27). An attacker can craft a model such that the ‘size’ multiplier 
is so large that the return value overflows the ‘int’ datatype and 
becomes negative. In turn, this results in invalid value being given 
to 


“malloc (https://github.com/tensorflow/tensorflow/blob/4ceffae6327 2 1e52bf3501b7 


L52). In this case, ‘ret->size* would dereference an invalid pointer. 
The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


2021-05-14 


not yet 
calculated 


Afe9d1221cdfa/tensorflow/lite/c/co 


6e4fe9d1 29 USS tensorflowllite/q/ 


= 


CVE-2021-29605 
CONFIRM 





tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. The implementation of 
‘tf.raw_ops.MaxPoolGradWithArgmax can cause reads outside of 
bounds of heap allocated data if attacker supplies specially crafted 
inputs. The 


implementation (https://github.com/tensorflow/tensorflow/blob/ef0cOpases4badg] 


L1017) uses the same value to index in two different arrays but 
there is no guarantee that the sizes are identical. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


67AStipleH 2 


calculated 





i A919 soffl 


CONFIRM 








tensorflow -- tensorflow 








‘TensorFlow is an end-to-end open source platform for machine 
learning. Due to lack of validation in ‘tf.raw_ops.Dequantize’, an 
attacker can trigger a read from outside of bounds of heap 
allocated data. The 


implementation(https://github.com/tensorflow/tensorflow/blob/2600$593aa94b1 7423 


L131) accesses the ‘min_range’ and ‘max_range’ tensors in 
parallel but fails to check that they have the same shape. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 








2021-05-14 





calculated 





AASAR Geo Fa Vea 20 26 aaa sd 


MISC 
CONFIRM 
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tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. Due to lack of validation in 
‘tf.raw_ops.RaggedTensorToTensor’, an attacker can exploit an 
undefined behavior if input arguments are empty. The 


implementation(https://github.com/tensorflow/tensorflow/blob/656e4673b14acd783 


L360) only checks that one of the tensors is not empty, but does 
not check for the other ones. There are multiple DCHECK™ 
validations to prevent heap OOB, but these are no-op in release 
builds, hence they don't prevent anything. The fix will be included 
in TensorFlow 2.5.0. We will also cherrypick these commits on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 





dc778867f869 T6262 1casahsnsolf 


not yet 
calculated 


MISC 
MISC 
CONFIRM 
MISC 





tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. Incomplete validation in ‘“SparseAdd’ results in allowing 
attackers to exploit undefined behavior (dereferencing null 
pointers) as well as write outside of bounds of heap allocated 
data. The 
implementation(https://github.com/tensorflow/tensorflow/blob/656e%, 
has a large set of validation for the two sparse tensor inputs (6 
tensors in total), but does not validate that the tensors are not 
empty or that the second dimension of **_indices’ matches the 
size of corresponding **_shape’. This allows attackers to send 
tensor triples that represent invalid sparse tensors to abuse code 
assumptions that are not protected by validation. The fix will be 
included in TensorFlow 2.5.0. We will also cherrypick this commit 
on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


not yet 
calculated 


84916c6d1cac2/tensorf 


CVE-2021-29609 
MISC 

CONFIRM 

MISC 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The validation in ‘tf.raw_ops.QuantizeAndDequantizeV2° 
allows invalid values for ‘axis’ argument:. The 


validation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e661 7738554 


L77) uses ‘|| to mix two different conditions. If “axis_ < -1° the 
condition in “OP_REQUIRES'’ will still be true, but this value of 
“axis_~ results in heap underflow. This allows attackers to 
read/write to other data on the heap. The fix will be included in 
‘TensorFlow 2.5.0. We will also cherrypick this commit on 
‘TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and 
‘TensorFlow 2.1.4, as these are also affected and still in supported 
range. 


2021-05-14 


255d77f08e 


not yet 
calculated 


‘60ee0808/tensorflow/ec: 


a 


CVE-2021-29610 
CONFIRM 
MISC 





tensorflow -- tensorflow 





‘TensorFlow is an end-to-end open source platform for machine 





learning. An attacker can trigger a heap buffer overflow in Eigen 
implementation of ‘tf.raw_ops.BandedTriangularSolve’. The 


implementation(https://github.com/tensorflow/tensorflow/blob/eccb7jec454e66177 


L278) calls ‘ValidatelnputTensors’ for input validation but fails to 
validate that the two tensors are not empty. Furthermore, since 
*OP_REQUIRES’ macro only stops execution of current function 
after setting “ctx->status()’ to a non-OK value, callers of helper 
functions that use “OP_REQUIRES* must check value of *ctx- 
>status() before continuing. This doesn't happen in this op's 


implementation(https://github.com/tensorflow/tensorflow/blob/eccb7jec454e66177 


hence the validation that is present is also not effective. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 











supported range. 


2021-05-14 











not yet 
calculated 


554a255d7/f08e60ee0808/tensort 


554a255d7/f08e60ee0808/tensort 





CVE-2021-29612 
CONFIRM 

MISC 

MISC 
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‘TensorFlow is an end-to-end open source platform for machine 
learning. The implementation of *tf.io.decode_raw’ produces 
incorrect results and crashes the Python interpreter when 
combining ‘fixed_length’ and wider datatypes. The 
implementation of the padded 
version(https://github.com/tensorflow/tensorflow/blob/1d8903e5b16/7ed0432077a3ib6e462daf781d1 fe/tensorflow/con 
is buggy due to a confusion about pointer arithmetic rules. First, 
ithe code 
computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b/1 67ed043207 7a3db6e462daf781d1fe/tensorflow/e 
the width of each output element by dividing the ‘fixed_length” 
value to the size of the type argument. The “fixed_length” 
argument is also used to determine the size needed for the output 
tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b16 /1ed0432077a3d Se462dar7 Fd Hestensordoy/core 
tensorflow -- tensorflow L79). This is followed by reencoding ea 
code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b1674d032097aub oaiadiiats76 INE Rens arflow/core k 
L94). The erroneous code is the last line above: it is moving the ———$— 
‘out_data’ pointer by ‘fixed_length * sizeof(T) bytes whereas it 
only copied at most ‘fixed_length’ bytes from the input. This 
results in parts of the input not being decoded into the output. 
Furthermore, because the pointer advance is far wider than 
desired, this quickly leads to writing to outside the bounds of the 
backing data. This OOB write leads to interpreter crash in the 
reproducer mentioned here, but more severe attacks can be 
mounted too, given that this gadget allows writing to periodically 
placed locations in memory. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Due to lack of validation in 
‘tf.raw_ops.SparseDenseCwiseMul , an attacker can trigger denial 
of service via ‘CHECK’-fails or accesses to outside the bounds of 
heap allocated data. Since the 
implementation(https://github.com/tensorflow/tensorflow/blob/3817¢a2f7a681a783hbb091 27021 34bfe3b4d84/tensart 
L80) only validates the rank of the input arguments but no 
tensorflow -- tensorflow constraints between re. 
dimensions(https://www.tensorflow.org/api_docs/python/tf/raw_ops/Sparse MISC. 
an attacker can abuse them to trigger internal ‘CHECK’ assertions ps 
(and cause program termination, denial of service) or to write to 
memory outside of bounds of heap allocated tensor buffers. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. Passing invalid arguments (e.g., discovered via fuzzing) 
to “tf.raw_ops.SparseCountSparseOutput’ results in segfault. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 2021-05-14 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a heap buffer overflow in 
‘tf.raw_ops.RaggedTensorToTensor’. This is because the 
implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad 
L222) uses the same index to access two arrays in parallel. Since 
the user controls the shape of the input arguments, an attacker 2021-05-14 
could trigger a heap OOB access when ‘parent_output_index’ is 
shorter than ‘row_split’. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can read data outside of bounds of heap 
allocated buffer in “tf.raw_ops.QuantizeAndDequantizeV3°. This is 
because the 
implementation(https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7 
does not validate the value of user supplied ‘axis* attribute before || 2021-05-14 
using it to index in the array backing the ‘input’ argument. The fix 
will be included in TensorFlow 2.5.0. We will also cherrypick this 
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 
and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 





[oy 


a 


_ 








not yet 
seCincaéhlated 











CVE-2021-29619 
MISC 
CONFIRM 


tensorflow -- tensorflow not yet 


calculated 





54115c03cece54f6a1977b/tensorf 
CVE-2021-29560 
CONFIRM 

MISC 


tensorflow -- tensorflow not yet 


calculated 








tensorflow -- tensorflow 5174 ie eee 


MISC 


calculated CONEIRM 
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Source & Patch 





tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 


learning. An attacker can cause a runtime division by zero error 
and denial of service in ‘tf.raw_ops.FractionalAvgPool’. This is 
because the 


L89) computes a divisor quantity by dividing two user controlled 
values. The user controls the values of ‘input_size[i]’ and 
*pooling_ratio_[i] (via the ‘value.shape() and ‘pooling_ratio” 
arguments). If the value in ‘input_size[i] is smaller than the 
*pooling_ratio_[i]’, then the floor operation results in 
‘output_size[i] being 0. The (DCHECK_GT* line is a no-op 
outside of debug mode, so in released versions of TF this does 
not trigger. Later, these computed values are used as 


L99) to 


L108). There, the first computation is a division in a modulo 
operation. Since ‘output_length’ can be 0, this results in runtime 
crashing. The fix will be included in TensorFlow 2.5.0. We will also 
cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, 
'TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also 
affected and still in supported range. 


implementation(https://github.com/tensorflow/tensorflow/blob/acc8@e69f5f46f92a3t 


2021-05-14 


arguments(https://github.com/tensorflow/tensorflow/blob/acc8ee69ipf4 6f92a3f1 11 


*GeneratePoolingSequence (https://github.com/tensorflow/tensorflqw/blob/acc8ee 





not yet 
calculated 


9f5f46f92a3} 


£11230f49cHac266f10c/tensorflow/ 


CVE-2021-29550 
CONFIRM 
MISC 


30f49c6ac266f10c/tensorflow/core, 


111 230f49c6ac2 


66fi| 


a 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. An attacker can cause a runtime division by zero error 
and denial of service in 
‘tf.raw_ops.QuantizedBatchNormWithGlobalNormalization’. This 
is because the 


L295) computes a modulo operation without validating that the 
divisor is not zero. Since ‘vector_num_elements’ is determined 
based on input 


L544), a user can trigger scenarios where this quantity is 0. The 
fix will be included in TensorFlow 2.5.0. We will also cherrypick 
this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 
2.2.3 and TensorFlow 2.1.4, as these are also affected and still in 
supported range. 


2021-05-14 


not yet 
calculated 


implementation (https://github.com/tensorflow/tensorflow/blob/6f26bBf34 1820 1479ce64f2a02000880d8df151c/tensorflo 


CVE-2021-29549 
CONFIRM 
MISC 





shapes(https://github.com/tensorflow/tensorflow/blob/6f26b3f34 1820 1479c264f2a02000880d8df151c/tensorflow/corey 


= 








tensorflow -- tensorflow 


‘TensorFlow is an end-to-end open source platform for machine 
learning. The reference implementation of the “GatherNd’ TFLite 
operator is vulnerable to a division by zero 
error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641bP 
An attacker can craft a model such that ‘params’ input would be 
an empty tensor. In turn, ~params_shape.Dims(.)° would be zero, 
in at least one dimension. The fix will be included in TensorFlow 
2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, 
TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as 
these are also affected and still in supported range. 


1b73bcf9c00ep1 7T9cda284elecitensordigudlite/ker 


2021-05-14 


not yet 
calculated 


MISC 
CONFIRM 





teradici -- pcoip_agent 


An attacker may cause a Denial of Service (DoS) in multiple 


2021-05-13 


not yet 
calculated 


CVE-2021-25693 

















versions of Teradici PCoIP Agent via a null pointer dereference. MISC 
bs : : 'Teradici PCoIP Graphics Agent for Windows prior to 21.03 does 
teradici -- pcoip_graphics_agent —_|/,4¢ validate NVENC.dIl. An attacker could replace the .dll and 2021-05-13 |) Totvet oo 
redirect pixels elsewhere. ———4 
An issue was discovered in Thunar before 4.16.7 and 4.17.x ee 
fnunarethunar before 4.17.2. When called with a regular file as a command-line not vet |IMISC 
argument, it delegates to a different program (based on the file 2021-05-11 ead MISC 
type) without user confirmation. This could be used to achieve MISC 
code execution. MLIST 





ticketer -- ticketer 


Ticketer is a command based ticket system cog (plugin) for the red 
discord bot. A vulnerability allowing discord users to expose 
sensitive information has been found in the Ticketer cog. Please 
upgrade to version 1.0.1 as soon as possible. As a workaround 
users may unload the ticketer cog to disable the exploitable code. 


2021-05-10 


not yet 
calculated 





MISC 
CONFIRM 


CVE-2021-29501 





tp-link -- archer_c2100_ firmware 


TP-Link Archer C1200 firmware version 1.13 Build 2018/01/24 
rel.52299 EU has a XSS vulnerability allowing a remote attacker 
to execute arbitrary code. 


2021-05-14 


not yet 
calculated 


i 


MISC 


CVE-2020-17891 





trend_micro -- housecall 








An incorrect permission vulnerability in the product installer for 
‘Trend Micro HouseCall for Home Networks version 5.3.1179 and 
below could allow an attacker to escalate privileges by placing 
arbitrary code on a specified folder and have that code be 
executed by an Administrator who is running a scan. Please note 
that an attacker must first obtain the ability to execute low- 











privileged code on the target system to exploit this vulnerability. 


2021-05-12 





not yet 
calculated 








N/A 
IN/A 





CVE-2021-28649 
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19.12.0.24) contain a cross-site scripting vulnerability. VMware 
Workspace ONE UEM console does not validate incoming 
requests during device enrollment after leading to rendering of 
unsanitized input on the user device in response. 





Primary ae ; Cvss Source & Patch 
Vendor -- Product Pescmpren Publlehed Score Info 
An incorrect permission vulnerability in the product installer folders 
for Trend Micro HouseCall for Home Networks version 5.3.1179 
leand: qmicra'< housecall and below could allow an attacker to escalate privileges by placing nokvat CVE-2021-31519 
- arbitrary code on a specified folder and have that code be 2021-05-12 ecicuated IN/A 
executed by an Administrator who is running a scan. Please note IN/A 
that an attacker must first obtain the ability to execute low- 
privileged code on the target system to exploit this vulnerability. 
[A weak session token authentication bypass vulnerability in Trend CVE-2021-31520 
trend_micro -- im_security Micro IM Security 1.6 and 1.6.5 could allow an remote attacker to 2021-05-10 not yet NA 
guess currently logged-in administrators' session session token in calculated N/A 
order to gain access to the product's web management interface. = 
TTwinCAT OPC UA Server in versions up to 2.3.0.12 and IPC 
Diagnostics UA Server in versions up to 3.1.0.1 from Beckhoff 
Ninoab-soped Ua Automation GmbH & Co. KG are vulnerable to denial of service not vet CVE-2020-12526 
pe_ attacks. The attacker needs to send several specifically crafted 2021-05-13 esas CONFIRM 
requests to the running OPC UA server. After some of these CONFIRM 
requests the OPC UA server is no longer responsive to any client. 
This is without effect to the real-time functionality of IPCs. 
upX -- UPXx A heap buffer overflow read was discovered in upx 4.0.0, because 2021-05-14 not yet |CVE-2020-24119 
the check in p_Ix_elf.cpp is not perfect. calculated |CONFIRM 
\VMware Workspace one UEM console (2102 prior to 21.2.0.8, 
2101 prior to 21.1.0.14, 2011 prior to 20.11.0.27, 2010 prior to 
20.10.0.16,2008 prior to 20.8.0.28, 2007 prior to 20.7.0.14,2006 
vmware -- prior to 20.6.0.19, 2005 prior to 20.5.0.46, 2004 prior to 20.4.0.21, 
workspace_one_uem)console 2003 prior to 20.3.0.23, 2001 prior to 20.1.0.32, 1912 prior to 2021-05-11 || not yet eo 





wago -- wago 


In multiple managed switches by WAGO in different versions 


special crafted requests can lead to cookies being transferred to 
third parties. 


2021-05-13 


not yet 
calculated 


CVE-2021-20996 


CONFIRM 





wago -- wago 


In multiple managed switches by WAGO in different versions 


without authorization and with specially crafted packets it is 
possible to create users. 


2021-05-13 


not yet 
calculated 


CVE-2021-20998 


CONFIRM 





wago -- wago 


In multiple managed switches by WAGO in different versions an 


attacker may trick a legitimate user to click a link to inject possible 
malicious code into the Web-Based Management. 


2021-05-13 


not yet 
calculated 


CVE-2021-20994 


CONFIRM 





wago -- wago 


In multiple managed switches by WAGO in different versions the 


2021-05-13 


not yet 
calculated 


CVE-2021-20995 




































































webserver cookies of the web based UI contain user credentials. CONFIRM 
In multiple managed switches by WAGO in different versions the 
wage’ Wage activated directory listing provides an attacker with the index of the|} 2021-05-13 Palla esa a 
resources located inside the directory. he aaa 
In multiple managed switches by WAGO in different versions it is 
wage’ Wag? possible to read out the password hashes of all Web-based 2021-05-13 Piel ae aoe 
Management users. ee 
WarnSystem is a cog (plugin) for the Red discord bot. A 
vulnerability has been found in the code that allows any user to 
access sensible informations by setting up a specific template CVE-2021-29502 
warnsystem -- warnsystem which is not properly sanitized. The problem has been patched in 2021-05-10 not yet MISC... 
version 1.3.18. Users should update and type “!warnsysteminfo’ to calculated CONFIRM 
check that their version is 1.3.18 or above. As a workaround users Ss 
may unload the WarnSystem cog or disable the ‘!warnset 
description’ command globally. 
In WeidmAYller u-controls and loT-Gateways in versions up to 
: : 1.12.1 a network port intended only for device-internal usage is 
Neidmammullor--weldmauller accidentally accessible via external network interfaces. By 2021-05-13 ald ao 
exploiting this vulnerability the device may be manipulated or the es 
operation may be stopped. 
A flaw was found in wildfly. The JBoss EJB client has publicly 
wildfly -- jboss_ejb_client accessible privileged actions which may lead to information 2021-05-13 not yet CVE-2021-20250 
disclosure on the server it is deployed on. The highest threat from calculated |MISC 
this vulnerability is to data confidentiality. 
An issue was discovered in Wind River VxWorks 7. The memory 
: ee allocator has a possible integer overflow in calculating a memory CVE-2020-35198 
Ine AVE Newent block's size to be allocated by calloc(). As a result, the actual 2021-05-12 thi 4 (Msc 
memory allocated is smaller than the buffer size specified by the MISC 
arguments, leading to memory corruption. 
windscribe -- windscribe In Windscribe v1.83 Build 20, 'WindscribeService' has an 2021-05-10 not yet |CVE-2020-22809 
Unquoted Service Path that facilitates privilege escalation. calculated ||MISC 
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repository, as well as activate arbitrary plugin from then blog, 
which helps attackers install vulnerable plugins and could lead to 
more critical vulnerabilities like RCE. 


Primary ae j Cvss Source & Patch 
Vendor -- Product Peecmpien Published Score Info 
Due to how Wire handles type information in its serialization 
format, malicious payloads can be passed to a deserializer. e.g. 
using a surrogate on the sender end, an attacker can pass 
Wire — wire information about a different type for the receiving end. And by not vet CVE-2021-29508 
doing so allowing the serializer to create any type on the 2021-05-11 eaaaed MISC 
deserializing end. This is the same issue that exists for .NET CONFIRM 
BinaryFormatter https://docs.microsoft.com/en- 
us/visualstudio/code-quality/ca2300?view=vs-2019. This also 
applies to the fork of Wire. 
Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the Visitor Traffic 
Real Time Statistics WordPress plugin before 2.12, to install any 
a : ee : not yet |CVE-2021-24193 
wordpress -- wordpress plugin (including a specific version) from the WordPress 2021-05-14 calculated |CONFIRM 





wordpress -- wordpress 


In the Redirection for Contact Form 7 WordPress plugin before 


2.3.4, any authenticated user, such as a subscriber, could use the 
import_from_debug AJAX action to inject PHP objects. 


2021-05-14 


not yet 
calculated 


i 


CVE-2021-24280 


CONFIRM 
MISC 





wordpress -- wordpress 


Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the Login Protection 
- Limit Failed Login Attempts WordPress plugin before 2.9, to 
install any plugin (including a specific version) from the WordPress 
repository, as well as activate arbitrary plugin from then blog, 
which helps attackers install vulnerable plugins and could lead to 
more critical vulnerabilities like RCE. 


2021-05-14 


not yet 
calculated 


CVE-2021-24194 
CONFIRM 





wordpress -- wordpress 


Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the Login as User or 
Customer (User Switching) WordPress plugin before 1.8, to install 
any plugin (including a specific version) from the WordPress 
repository, as well as activate arbitrary plugin from then blog, 
which helps attackers install vulnerable plugins and could lead to 
more critical vulnerabilities like RCE. 


2021-05-14 


not yet 
calculated 





CVE-2021-24195 
CONFIRM 





wordpress -- wordpress 


Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the WP Maintenance 
Mode & Site Under Construction WordPress plugin before 1.8.2, 
ito install any plugin (including a specific version) from the 
WordPress repository, as well as activate arbitrary plugin from 
then blog, which helps attackers install vulnerable plugins and 
could lead to more critical vulnerabilities like RCE. 


2021-05-14 


not yet 
calculated 


CVE-2021-24191 
CONFIRM 





wordpress -- wordpress 


In the Redirection for Contact Form 7 WordPress plugin before 


2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX 


action to retrieve a valid nonce for any WordPress action/function. 


2021-05-14 


not yet 
calculated 


i 


CVE-2021-24278 


MISC 
CONFIRM 





Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the Captchinoo, 
Google recaptcha for admin login page WordPress plugin before 
































and _id GET parameters passed to the bwg_frontend_data AJAX 
action (available to both unauthenticated and authenticated users) 

















wordpress -- wordpress 2.4, to install any plugin (including a specific version) from the 2021-05-14 a as 
WordPress repository, as well as activate arbitrary plugin from ———— 
then blog, which helps attackers install vulnerable plugins and 
could lead to more critical vulnerabilities like RCE. 
In the Redirection for Contact Form 7 WordPress plugin before CVE-2021-24281 
Wordpress =: Wordpress 2.3.4, any authenticated user, such as a subscriber, could use the 2021-05-14 not yet MISC. 
P P delete_action_post AJAX action to delete any post on a target calculated CONFIRM 
site. paecmamaanoe 
In the Redirection for Contact Form 7 WordPress plugin before 
2.3.4, any authenticated user, such as a subscriber, could use the 
Wwordurese--< worderass various AJAX actions in the plugin to do a variety of things. For 2021-05-14 not yet an 
P p example, an attacker could use wpcf7r_reset_settings to reset the calculated CONFIRM 
plugin’s settings, wpcf7r_add_action to add actions to a form, and ae are 
more. 
Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the Tree Sitemap 
WordPress plugin before 2.9, to install any plugin (including a e 7 
wordpress -- wordpress specific version) from the WordPress repository, as well as 2021-05-14 Peli . d aed 
activate arbitrary plugin from then blog, which helps attackers lication 
install vulnerable plugins and could lead to more critical 
vulnerabilities like RCE. 
‘The Photo Gallery by 10Web a€“ Mobile-Friendly Image Gallery 
wordpress -- wordpress WordPress plugin before 1.5.69 was vulnerable to Reflected not vet CVE-2021-24291 
Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id |] 2021-05-14 Fer eit ster MISC 


CONFIRM 
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authenticated stored Cross-Site Scripting issues 


Primary oar j Cvss Source & Patch 
Vendor -- Product Pescmpron Published Score Info 
The request_list_request AJAX call of the Car Seller - Auto 
wordpress -- wordpress Classifieds Script WordPress plugin through 2.1.0, available to ok vet CVE-2021-24285 
both authenticated and unauthenticated users, does not sanitise, 2021-05-14 eral MISC 
validate or escape the order_id POST parameter before using it in CONFIRM 
a SQL statement, leading to a SQL Injection issue. 
Wordpress <> wordoress The settings page of the Select All Categories and Taxonomies, 
P p Change Checkbox to Radio Buttons WordPress plugin before 2021-05-14 not yet CVE-2021-24287 
1.3.2 did not properly sanitise the tab parameter before outputting calculated |CONFIRM 
it back, leading to a reflected Cross-Site Scripting issue 
Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the WooCommerce 
Conditional Marketing Mailer WordPress plugin before 1.5.2, to 
Wordpress -- wordpress install any plugin (including a specific version) from the WordPress} 2021-05-14 not yet |iaiieeceetseeiau 
; ‘ ; : calculated |CONFIRM 
repository, as well as activate arbitrary plugin from then blog, 
which helps attackers install vulnerable plugins and could lead to 
more critical vulnerabilities like RCE. 
Low privileged users can use the AJAX action 
‘cp_plugins_do_button_job_later_callback' in the WP Content 
Copy Protection & No Right Click WordPress plugin before 3.1.5, 
Wordpress -- wordpress ito install any plugin (including a specific version) from the 2021-05-14 not yet teat 2e 18 
; : : : calculated |CONFIRM 
WordPress repository, as well as activate arbitrary plugin from 
then blog, which helps attackers install vulnerable plugins and 
could lead to more critical vulnerabilities like RCE. 
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 
ard press <-avoripress allows unauthenticated arbitrary file upload via the not vet CVE-2021-24284 
P P ‘uploadFontlcon' AJAX action. The supplied zipfile being unzipped || 2021-05-14 See MISC 
in the wp-content/uploads/kaswara/fonts_icon directory with no CONFIRM 
checks for malicious files such as PHP. 
‘The RSS for Yandex Turbo WordPress plugin before 1.30 did not 
wordpress -- wordpress properly sanitise the user inputs from its DjiNfDUN,NfD,D°D, 2021-05-14 not yet CVE-2021-24277 
settings tab before outputting them back in the page, leading to calculated |CONFIRM 





wordpress -- wordpress 


In the Redirection for Contact Form 7 WordPress plugin before 


2.3.4, low level users, such as subscribers, could use the 





not yet 


CVE-2021-24279 












































code execution. NOTE: This vulnerability only affects products 
that are no longer supported by the maintainer. 


import_from_debug AJAX action to install any plugin from the eres calculated oo 
WordPress repository. a 
‘The tab GET parameter of the settings page is not sanitised or 
Wordpress -- wordpress escaped when being output back in an HTML attribute, leading to || 2021-05-14 Pea hiae oe a 
a reflected XSS issue. ee sere 
The settings page of the Redirect 404 to parent WordPress plugin 
INORprESS’=WOrEpIESS before 1.3.1 did not properly sanitise the tab parameter before 2021-05-14 Pana oo 
outputting it back, leading to a reflected Cross-Site Scripting issue Pe ee 
An integer overflow and several buffer overflow reads in ao 
yara -- libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could not yet |IEEDORA 
libyara/modules/macho/macho.c allow an attacker to either cause denial of service or information 2021-05-14 anced FEDORA 
disclosure via a malicious Mach-O file. Affects all versions before MISC 
libyara 4.0.4 MISC 
yfcmf-- yfemf In YFCMF v2.3.1, there is a stored XSS vulnerability in the 2021-05-14 not yet ||CVE-2020-23689 
comments section of the news page. calculated ||MISC 
yfcmf-- yfomf 'YYFCMF v2.3.1 has a Remote Command Execution (RCE) 2021-05-14 not yet |CVE-2020-23691 
Vulnerability in the index.php. calculated ||MISC 
An issue was discovered in the _send_secure_msg() function of 
'ubico yubihsm-shell through 2.0.3. The function does not 
correctly validate the embedded length field of an authenticated 
F : message received from the device because 
yubico: = yublhsm-shell response_msg.st.len=8 can be accepted but triggers an integer 2021-05-10 Bis ae ih ages 
overflow, which causes CRYPTO_cbc128_ decrypt (in OpenSSL) ———— 
to encounter an undersized buffer and experience a segmentation 
fault. The yubihsm-shell project is included in the YubIHSM 2 SDK 
product. 
** UNSUPPORTED WHEN ASSIGNED ** An issue was 
discovered on Zebra (formerly Motorola Solutions) Fixed RFID 
zebra -- Reader FX9500 devices. An unauthenticated attacker can upload not vet CVE-2021-32089 
rfid_reader_fx95000_ devices arbitrary files to the filesystem that can then be accessed through || 2021-05-11 Aatoulated MISC 
the web interface. This can lead to information disclosure and MISC 





IZZCMS -- ZZCMS 











Insecure permissions issue in zzcms 201910 via the reset any 


user password in /one/getpassword.php. 








2021-05-13 











not yet 
calculated 


CVE-2020-21342 


MISC 
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zzzcms -- zzzphp 








within an "if" "end if" block. 





zzzcms zzzphp before 2.0.4 allows remote attackers to execute 
arbitrary OS commands by placing them in the keys parameter of 
a ?location=search URI, as demonstrated by an OS command 








2021-05-11 








not yet 
calculated 








CVE-2021-32605 
MISC 
MISC 
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